Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products.

The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They're intended to simplify communication among affected parties and reduce the chances that vulnerability reports will result in it being exploited in the wild. Among other things, they require employees to send private notifications to the organization responsible for the vulnerable software, hardware or service and only later publish a public advisory.

“We're definitely into the idea of no surprises for any of our vendors that we find vulnerabilities in,” said Microsoft Senior Security Strategist Katie Moussouris. “We're basically following the golden rule for disclosure, and it's all about protecting customers, because there's no reason to unnecessarily amplify risk by imposing some sort of one-size-fits-all deadline on things.”

The policy (MS Word document here) applies to all Microsoft employees, whether they find vulnerabilities during their personal time or as part of their official duties. The procedures are intended to move away from the doctrine of “responsible disclosure,” which many people in security circles came to resent because it suggested all who disagreed with it were somehow behaving improperly.

Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. The reports should include crash dump information, proofs of concept or exploit code, root cause analysis, and other technical details.

“Any vulnerability information provided to the vendor is not intended for public use, but for the vendor's use to identify and remediate the vulnerability,” the policy states.

For the first time, Microsoft will begin publishing advisories about the vulnerabilities its employees have discovered – preferably only after the security hole has been patched. Microsoft may also issue advisories if it learns the bug is being exploited, or in cases where it receives no response from the third party.

The policy appears to be the first time a company has said publicly exactly when and how it will report vulnerabilities in the products of its peers, partners and competitors. In July, Google's security team issued a less detailed policy that said members would generally give companies 60 days to patch vulnerabilities before making them known publicly.

Microsoft has yet to implement a bug-bounty program that compensates researchers for their time and expertise in reporting vulnerabilities in its products. Google and Mozilla have paid rewards for years. Security firm Tipping Point has pledged to make vulnerabilities public six months after reporting them privately.

The Microsoft Vulnerability Research group unveiled the policy on Tuesday, the same day it released two separate advisories for critical vulnerabilities that were fixed in the Opera and Google Chrome browsers months ago. They were discovered by Microsoft researchers David Weston and Nirankush Panchbhai. ®

Related stories

• RIP Full Disclosure: Security world reacts to key mailing list's death (19 March 2014)

  https://www.theregister.com/2014/03/19/full_disclosure_closes/

• GitHub reinstates Russian who hacked site to expose flaw (5 March 2012)

  https://www.theregister.com/2012/03/05/github_hack/

• Secunia jumps on vuln reward bandwagon (2 November 2011)

  https://www.theregister.com/2011/11/02/secunia_vulnerability_rewards/

• Microsoft inadvertently offers early peep at September patches (12 September 2011)

  https://www.theregister.com/2011/09/12/ms_spills_patch_tuesday_low_down/

• Facebook pays bounties of $40,000 in first 3 weeks (30 August 2011)

  https://www.theregister.com/2011/08/30/facebook_bug_bounty_progress/

• Facebook dangles cash rewards for bug reports (29 July 2011)

  https://www.theregister.com/2011/07/29/facebook_bug_bounties/

• Whitehats break out of Google Chrome sandbox (9 May 2011)

  https://www.theregister.com/2011/05/09/google_chrome_pwned/

• MS now issuing security advisories about third-party Windows bugs (26 April 2011)

  https://www.theregister.com/2011/04/26/ms_third_party_bug_advisories/

• Cambridge boffins rebuff banking industry take down request (29 December 2010)

  https://www.theregister.com/2010/12/29/chip_and_pin_take_down_rebuffed/

• Big vendors get deadline to fix holes, or face the music (9 August 2010)

  https://www.theregister.com/2010/08/09/vuln_disclosure_analysis/

• Tight-lipped Apple fixes Safari autosnoop bug (28 July 2010)

  https://www.theregister.com/2010/07/28/apple_safari_bug_patch/

• Microsoft to banish 'responsible' from disclosure debate (22 July 2010)

  https://www.theregister.com/2010/07/22/microsoft_coordinated_disclosure/

• Spurned security researchers form anti-MS collective (6 July 2010)

  https://www.theregister.com/2010/07/06/ms_spurned_research_collective/

• Google (finally) pays bounties for Chrome bug reports (29 January 2010)

  https://www.theregister.com/2010/01/29/google_bug_bounty_program/

• Bug brokers offering higher bounties (25 January 2007)

  https://www.theregister.com/2007/01/25/bug_brokers_offering_higher_bouties/

• Report security vulns at your peril (25 May 2006)

  https://www.theregister.com/2006/05/25/security_vuln_reporting_risk/