Microsoft remodels coordinated security disclosures
By Robert Westervelt, News Director, SearchSecurity | Jul 26, 2010
Microsoft is attempting to reshape responsible disclosure by security researchers, announcing a new model that it says could provide a more coordinated response to zero-day vulnerabilities.
Called "Coordinated Vulnerability Disclosure" (CVD), the new model is similar to Microsoft's responsible disclosure policy. It urges security researchers to report the issue to the vendor or to a Computer Emergency Readiness Team coordination center. Under the CVD both the vendor and the researcher would agree to a timeline to fix the issue. In a blog entry, Microsoft's Matt Thomlinson general manager, of Security at Trustworthy Computing, said the software giant would attempt to provide as much transparency as possible to the process.
"Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors," Thomlinson wrote in the Microsoft Security Response Center blog. "Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."
Microsoft's new model follows the public disclosure of a zero-day vulnerability by noted security researcher Tavis Ormandy of Google. Within days, Microsoft issued a statement warning that it had detected malicious attacks attempting to target the vulnerability. Ormandy issued proof-of-concept code targeting the flaw in Windows XP.
Thomlinson said Microsoft and other software makers should be responsible for clearly communicating with the security researcher reporting the flaw. The software maker pledged to provide timely updates and target dates for resolution. In addition, Thomlinson said security researchers adhering to the policy could publish advance security advisories with limited details, leaving out proof-of-concept code.
"Vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible," Thomlinson wrote.
Security researchers speak out
While Microsoft's new model is being supported by a number of experts, other researchers say it won't likely have much effect on how flaws are reported.