Probably tired with everyone shouting out aloud when they found a security problem in Microsoft software, Microsoft has decided to turn the tables. They have announced their Coordinated Vulnerability Disclosure Policy for non-Microsoft software.
Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product, to a national CERT or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public.
We take the responsibility for fixing our products very seriously. We ask the security research community to give us an opportunity to correct the vulnerability before publicly disclosing it, as we ourselves do when we discover vulnerabilities in other vendors’ products.
This serves everyone’s best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious attacks while the update is being developed. After customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.
Occasionally Microsoft employees may discover vulnerabilities in non-Microsoft or third-party software in the course of their daily work or as a result of independent research. In both of these cases, Microsoft employees observe coordinated vulnerability disclosure to help ensure that the ecosystem remains protected. Microsoft has developed a comprehensive strategy for handling vulnerabilities discovered in third-party software.
The Microsoft Vulnerability Research (MSVR) program is responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services. In all cases, a Microsoft employee who discovers a vulnerability in third-party software informs the MSVR program, and works to disclose details of the vulnerability in a coordinated manner with the vendor.
Such vulnerabilities will be listed in Microsoft Vulnerability Research (MSVR) Advisories Archive. To begin with, Microsoft has released Microsoft Vulnerability Research Advisory MSVR11-001 and MSVR11-002 which highlights vulnerabilities affecting Google Chrome browser and Opera browser.
For more information on CVD, download the document, Coordinated Vulnerability Disclosure.
Leave a Reply