Feeds

Microsoft imposes security disclosure policy on all workers

Redmond joins security advisory mill

Internet Security Threat Report 2014

Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.

The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They're intended to simplify communication among affected parties and reduce the chances that vulnerability reports will result in it being exploited in the wild. Among other things, they require employees to send private notifications to the organization responsible for the vulnerable software, hardware or service and only later publish a public advisory.

“We're definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in,” said Microsoft Senior Security Strategist Katie Moussouris. “We're basically following the golden rule for disclosure, and it's all about protecting customers, because there's no reason to unnecessarily amplify risk by imposing some sort of one-size-fits-all deadline on things.”

The policy (MS Word document here) applies to all Microsoft employees, whether they find vulnerabilities during their personal time or as part of their official duties. The procedures are intended to move away from the doctrine of “responsible disclosure,” which many people in security circles came to resent because it suggested all who disagreed with it were somehow behaving improperly.

Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. The reports should include crash dump information, proofs of concept or exploit code, root cause analysis, and other technical details.

“Any vulnerability information provided to the vendor is not intended for public use, but for the vendor's use to identify and remediate the vulnerability,” the policy states.

For the first time, Microsoft will begin publishing advisories about the vulnerabilities its employees have discovered – preferably only after the security hole has been patched. Microsoft may also issue advisories if it learns the bug is being exploited, or in cases where it receives no response from the third party.

The policy appears to be the first time a company has said publicly exactly when and how it will report vulnerabilities in the products of its peers, partners and competitors. In July, Google's security team issued a less detailed policy that said members would generally give companies 60 days to patch vulnerabilities before making them known publicly.

Microsoft has yet to implement a bug-bounty program that compensates researchers for their time and expertise in reporting vulnerabilities in its products. Google and Mozilla have paid rewards for years. Security firm Tipping Point has pledged to make vulnerabilities public six months after reporting them privately.

The Microsoft Vulnerability Research group unveiled the policy on Tuesday, the same day it released two separate advisories for critical vulnerabilities that were fixed in the Opera and Google Chrome browsers months ago. They were discovered by Microsoft researchers David Weston and Nirankush Panchbhai. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.