Microsoft wants to reframe the discussion about vulnerability reporting by replacing the term "responsible disclosure" with "coordinated vulnerability disclosure." The announcement comes the week before the start of the Black Hat and DEFCON security conferences in Las Vegas, and follows some prominent examples of how the disclosure debate has not died.
The past several weeks have seen some prominent examples of just how contentious the issue of responsible disclosure can still be.
With the Black Hat and DEFCON security conferences just around the
corner, Microsoft wants to change the mindset surrounding discussions
of vulnerability disclosures by emphasizing the concept of collaboration
Rather than use the term "responsible disclosure," the company is
pushing a similar concept called "coordinated vulnerability
disclosure," where vulnerabilities are either disclosed
directly to the affected vendor or a private service, CERT
Coordination Center or other coordinator who will report the issue
to the vendor privately.
"In recognition of the endless debate between responsible disclosure
and full disclosure proponents and its ability to detract from
meaningful and productive industry collaboration and customer defense,
we believe that the community mindset needs to shift, framing a key
point-that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers," blogged Matt Thomlinson
, general manager for security with Microsoft's Trustworthy Computing group.
In the event attacks are underway in the wild, vulnerability details
can be disclosed publicly earlier with both the finder and vendor
working together to provide consistent messaging and guidance to users,
"[Coordinated vulnerability disclosure] does not represent a huge
departure from the current definition of "responsible disclosure," and
we would still view vulnerability details being released broadly
outside these guidelines as putting customers at unnecessary levels of
risk," he added. "However, [it] does allow for more focused
coordination on how issues are addressed publicly."
Microsoft's attempt to shift the focus with wordplay follows the controversy last month surrounding Tavis Ormandy's public disclosure of a Windows vulnerability
days after he reported it to Microsoft. While some criticized Ormandy
for going publicly so quickly, others cited past examples of IT vendors
ignoring security flaws presented to them by researchers and leaving
the public vulnerable.
Mike Reavy, director of the Microsoft Security Response Center, blogged that he
being on the outside of Microsoft and watching researcher discussions
noting how the company was unresponsive. Today, Microsoft has made
dramatic changes on that front, he wrote.
"Some will say that we take too long to fix our vulnerabilities," he
blogged. "But it isn't all about time-to-fix: Our chief priority with
respect to security updates is to minimize disruption to our customers
and to help protect them from online criminal attackers."
The security response center, he added, receives more than 100,000
e-mail messages per year, which is filtered down to roughly 1,000
legitimate vulnerability investigations.
"When communication breakdowns and disagreements happen, resulting
in vulnerability details disclosed by researchers before we release an
update, those details are then used by criminals to attack our
customers," Reavy wrote. "The worst situation is when vulnerabilities
aren't disclosed to the vendor at all, because then there's very little
hope of broad protections ever getting released for all customers."