Microsoft Implements Company Policy For Vulnerability Disclosure


Microsoft has implemented a new company policy regarding vulnerability disclosure in non-Microsoft products (third-party products). Unsurprisingly they are following the ‘responsible disclosure’ line rather than the ‘full disclosure’ line favoured by the infosec community.

It’s fair enough though, as they say treat others as you wish to be treated. I’m pretty sure Microsoft would much prefer people to report vulnerabilities to them privately and give them adequate time to fix the problem before disclosing publicly.

If you really THAT interested, you can actually download the policy here (MS Word).

Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.

The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They’re intended to simplify communication among affected parties and reduce the chances that vulnerability reports will result in it being exploited in the wild. Among other things, they require employees to send private notifications to the organization responsible for the vulnerable software, hardware or service and only later publish a public advisory.

“We’re definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in,” said Microsoft Senior Security Strategist Katie Moussouris. “We’re basically following the golden rule for disclosure, and it’s all about protecting customers, because there’s no reason to unnecessarily amplify risk by imposing some sort of one-size-fits-all deadline on things.”

The policy (MS Word document here) applies to all Microsoft employees, whether they find vulnerabilities during their personal time or as part of their official duties. The procedures are intended to move away from the doctrine of “responsible disclosure,” which many people in security circles came to resent because it suggested all who disagreed with it were somehow behaving improperly.

It’s interesting to see a company really showing the public at large how they intend to deal with finding vulnerabilities in other peoples software. Google has published a similar (but MUCH less detailed) policy regarding disclosure.

Google will generally give 60 days before they publish a vulnerability publicly, a lot of people give up trying to contact vendors after a few bounced or unreplied e-mails and just post the details on mailing lists like Bugtraq or Full-disclosure.

What will be fascinating is to see what kind of vulnerabilities Microsoft will publish, it’ll give us some idea as to which products and what types of software they are looking at.


Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. The reports should include crash dump information, proofs of concept or exploit code, root cause analysis, and other technical details.

“Any vulnerability information provided to the vendor is not intended for public use, but for the vendor’s use to identify and remediate the vulnerability,” the policy states.

For the first time, Microsoft will begin publishing advisories about the vulnerabilities its employees have discovered – preferably only after the security hole has been patched. Microsoft may also issue advisories if it learns the bug is being exploited, or in cases where it receives no response from the third party.

The policy appears to be the first time a company has said publicly exactly when and how it will report vulnerabilities in the products of its peers, partners and competitors. In July, Google’s security team issued a less detailed policy that said members would generally give companies 60 days to patch vulnerabilities before making them known publicly.

Microsoft has yet to implement a bug-bounty program that compensates researchers for their time and expertise in reporting vulnerabilities in its products. Google and Mozilla have paid rewards for years. Security firm Tipping Point has pledged to make vulnerabilities public six months after reporting them privately.

The focus for everyone seems to ‘protecting the end user’ – why the shift in focus? I’m not entirely sure, but it’s not a bad thing.

You can read the Google Policy here:

Rebooting Responsible Disclosure: a focus on protecting end users

Perhaps Microsoft took a leaf from the Google book after all.

Source: The Register

Posted in: Legal Issues, Windows Hacking


Latest Posts:


RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.


Comments are closed.