Sign in to follow this  

Microsoft's new rule for dealing with security flaws

Recommended Posts

23 July 2010, 11:47

Microsoft's new rule for dealing with security flaws

As a reaction to the growing criticism of its procedure for dealing with security flaw discoveries, Microsoft has announced a paradigm switch. "Responsible Disclosure" is dead; long live "Coordinated Vulnerability Disclosure" (CVD).

As before, the focus is on cooperation between security experts and software vendors with the goal of keeping users out of harm's way. Information about a vulnerability is only to be made public once the vendor has developed and published a patch. But Microsoft does not mention the critical point: what happens when the vendor takes months or even more than a year to do so?

On Wednesday, Google's security team announced their new policy of a 60-day grace period within which software vendors are to provide fixes for critical flaws. If no patch is provided by that time, Google's security experts reserve the right to make their knowledge public. Microsoft has not gone along with this idea and makes no mention of such an obligation in its annoucement. The only thing that Microsoft has to say for those waiting is that information about vulnerabilities can be made public even before a vendor has provided a patch if a flaw is demonstrably already being actively exploited. As Microsoft's Katie Moussouri explains in her blog post, the company still wishes to work with proponents of the competing concept of full disclosure.

Details -

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this