Microsoft In Favour Of Responsible Disclosure

Microsoft is modifying its strategy of dealing with security researchers in an attempt to make the process of finding and fixing flaws easier and more secure.

Currently the industry is debating the merits of full disclosure (FD), where flaw information is published before a patch is available and responsible disclosure (RD), where news is held back until a patch is available.

Most vendors including Microsoft are in favour of RD, while finders fall across the spectrum from FD to RD," said Katie Moussouris, senior security strategist at Microsoft in a blog posting that has drawn the support of some of the biggest names in the industry.

"Responsible Disclosure should be deprecated in favour of something focused on getting the job done, which is to improve security and to protect users and systems."

Microsoft's planned Coordinated Vulnerability Disclosure (CDV) system would be broadly similar to current responsible disclosure systems but would have the caveat that if attacks are discovered in the wild then the company and researcher will announce the problem and what workarounds are possible to ensure that systems are protected.

She said that while Microsoft disagreed with full disclosure advocates it still wanted to work with researchers who operated under those principles so that any announcement can be co-ordinated and customers protected.

"It is evident from listening to those on both extremes of the disclosure argument that there is one thing that we are all trying to do: protect customers," said Matt Thomlinson, general manager of security at Trustworthy Computing.

"We've been working with the security community closely for years to coordinate our actions for the benefit of customers. Coordinated vulnerability disclosure will help keep users safe."

print this article

Return to microsoft news headlines
View Microsoft News Archive

Share with: