Microsoft has implemented a new company policy regarding vulnerability disclosure in non-Microsoft products (third-party products). Unsurprisingly they are following the ‘responsible disclosure’ line rather than the ‘full disclosure’ line favoured by the infosec community.
It’s fair enough though, as they say treat others as you wish to be treated. I’m pretty sure Microsoft would much prefer people to report vulnerabilities to them privately and give them adequate time to fix the problem before disclosing publicly.
If you really THAT interested, you can actually download the policy here (MS Word).
Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.
The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They’re intended to simplify communication among affected parties and reduce the chances that vulnerability reports will result in it being exploited in the wild. Among other things, they require employees to send private notifications to the organization responsible for the vulnerable software, hardware or service and only later publish a public advisory.
“We’re definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in,” said Microsoft Senior Security Strategist Katie Moussouris. “We’re basically following the golden rule for disclosure, and it’s all about protecting customers, because there’s no reason to unnecessarily amplify risk by imposing some sort of one-size-fits-all deadline on things.”
The policy (MS Word document here) applies to all Microsoft employees, whether they find vulnerabilities during their personal time or as part of their official duties. The procedures are intended to move away from the doctrine of “responsible disclosure,” which many people in security circles came to resent because it suggested all who disagreed with it were somehow behaving improperly.
It’s interesting to see a company really showing the public at large how they intend to deal with finding vulnerabilities in other peoples software. Google has published a similar (but MUCH less detailed) policy regarding disclosure.
Google will generally give 60 days before they publish a vulnerability publicly, a lot of people give up trying to contact vendors after a few bounced or unreplied e-mails and just post the details on mailing lists like Bugtraq or Full-disclosure.
What will be fascinating is to see what kind of vulnerabilities Microsoft will publish, it’ll give us some idea as to which products and what types of software they are looking at.
Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. The reports should include crash dump information, proofs of concept or exploit code, root cause analysis, and other technical details.
“Any vulnerability information provided to the vendor is not intended for public use, but for the vendor’s use to identify and remediate the vulnerability,” the policy states.
For the first time, Microsoft will begin publishing advisories about the vulnerabilities its employees have discovered – preferably only after the security hole has been patched. Microsoft may also issue advisories if it learns the bug is being exploited, or in cases where it receives no response from the third party.
The policy appears to be the first time a company has said publicly exactly when and how it will report vulnerabilities in the products of its peers, partners and competitors. In July, Google’s security team issued a less detailed policy that said members would generally give companies 60 days to patch vulnerabilities before making them known publicly.
Microsoft has yet to implement a bug-bounty program that compensates researchers for their time and expertise in reporting vulnerabilities in its products. Google and Mozilla have paid rewards for years. Security firm Tipping Point has pledged to make vulnerabilities public six months after reporting them privately.
The focus for everyone seems to ‘protecting the end user’ – why the shift in focus? I’m not entirely sure, but it’s not a bad thing.
You can read the Google Policy here:
Perhaps Microsoft took a leaf from the Google book after all.
Source: The Register