Feeds

Microsoft imposes security disclosure policy on all workers

Redmond joins security advisory mill

The Power of One eBook: Top reasons to choose HP BladeSystem

Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.

The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They're intended to simplify communication among affected parties and reduce the chances that vulnerability reports will result in it being exploited in the wild. Among other things, they require employees to send private notifications to the organization responsible for the vulnerable software, hardware or service and only later publish a public advisory.

“We're definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in,” said Microsoft Senior Security Strategist Katie Moussouris. “We're basically following the golden rule for disclosure, and it's all about protecting customers, because there's no reason to unnecessarily amplify risk by imposing some sort of one-size-fits-all deadline on things.”

The policy (MS Word document here) applies to all Microsoft employees, whether they find vulnerabilities during their personal time or as part of their official duties. The procedures are intended to move away from the doctrine of “responsible disclosure,” which many people in security circles came to resent because it suggested all who disagreed with it were somehow behaving improperly.

Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. The reports should include crash dump information, proofs of concept or exploit code, root cause analysis, and other technical details.

“Any vulnerability information provided to the vendor is not intended for public use, but for the vendor's use to identify and remediate the vulnerability,” the policy states.

For the first time, Microsoft will begin publishing advisories about the vulnerabilities its employees have discovered – preferably only after the security hole has been patched. Microsoft may also issue advisories if it learns the bug is being exploited, or in cases where it receives no response from the third party.

The policy appears to be the first time a company has said publicly exactly when and how it will report vulnerabilities in the products of its peers, partners and competitors. In July, Google's security team issued a less detailed policy that said members would generally give companies 60 days to patch vulnerabilities before making them known publicly.

Microsoft has yet to implement a bug-bounty program that compensates researchers for their time and expertise in reporting vulnerabilities in its products. Google and Mozilla have paid rewards for years. Security firm Tipping Point has pledged to make vulnerabilities public six months after reporting them privately.

The Microsoft Vulnerability Research group unveiled the policy on Tuesday, the same day it released two separate advisories for critical vulnerabilities that were fixed in the Opera and Google Chrome browsers months ago. They were discovered by Microsoft researchers David Weston and Nirankush Panchbhai. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.