Developers will have to submit an updated application to Microsoft within 180 days of being notified of a critical or important severity issue.
According to a new policy around handling vulnerabilities in apps that are available through the Windows Store, Windows Phone Store, Office Store and Azure Marketplace, Microsoft said that it will require developers to fix security vulnerabilities in their apps, and it will enable Microsoft to remove an app from sale if the developer does not provide an effective fix.
Microsoft also said that if an application is being exploited, it will work with a developer to have an update available as soon as possible, and it may remove the app from the store earlier if required.
It said in a statement: “We're doing this to help protect customers and to ensure the apps available in our stores are as secure as possible.
“We also realise there may be rare cases where a developer needs more than 180 days. Should that occur – it hasn't so far – we'll work with the developer to get an updated app replacement as soon as possible.”
Microsoft said that this is a new effort to help ensure users have confidence in the security of the software that is available in its online stores, including that developers will respond ‘appropriately' when a vulnerability is discovered.
“So far, we have had excellent cooperation from developers in fixing vulnerabilities in their programs. The policy change is just one more step that we are taking to help ensure that vulnerabilities are addressed appropriately,” it said.
“We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline. However, Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft's discretion.”