Peaches Posted July 23, 2010 Report Share Posted July 23, 2010 23 July 2010, 11:47 Microsoft's new rule for dealing with security flaws As a reaction to the growing criticism of its procedure for dealing with security flaw discoveries, Microsoft has announced a paradigm switch. "Responsible Disclosure" is dead; long live "Coordinated Vulnerability Disclosure" (CVD). As before, the focus is on cooperation between security experts and software vendors with the goal of keeping users out of harm's way. Information about a vulnerability is only to be made public once the vendor has developed and published a patch. But Microsoft does not mention the critical point: what happens when the vendor takes months or even more than a year to do so? On Wednesday, Google's security team announced their new policy of a 60-day grace period within which software vendors are to provide fixes for critical flaws. If no patch is provided by that time, Google's security experts reserve the right to make their knowledge public. Microsoft has not gone along with this idea and makes no mention of such an obligation in its annoucement. The only thing that Microsoft has to say for those waiting is that information about vulnerabilities can be made public even before a vendor has provided a patch if a flaw is demonstrably already being actively exploited. As Microsoft's Katie Moussouri explains in her blog post, the company still wishes to work with proponents of the competing concept of full disclosure. Details - http://www.h-online....ws-1044087.html Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.