Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:33 AM
Connect Directly

Microsoft Launches 'Coordinated' Vulnerability Disclosure Program

Microsoft abandons controversial 'responsible disclosure' term, supporting public disclosure of unpatched bug details when attacks hit

Microsoft today revealed a new, modified approach to how it works with security researchers and handles vulnerability disclosures, including working with researchers to publicly release vulnerability details of a zero-day flaw when attacks are under way.

In an interview with Dark Reading, Mike Reavey, director of Microsoft Security Response Center, said Microsoft is now promoting "coordinated vulnerability disclosure" (CVD) and moving toward working more closely with researchers in coordinating the release of details on new, unpatched bugs. Reavey says the term "responsible disclosure" had become too emotionally charged and it was time for a shift in philosophy.

"This is not a drastic departure from what we're already doing, but we think it's important," Reavey says. "The two changes here are talking about how responsibility extends beyond disclosure -- where [researchers and vendors] are working together to minimize the risk [to users]," he says. "And if there attacks in the wild, we are working to coordinate [disclosure] even if a fix isn't ready."

Reavey says Microsoft's shift in philosophy came, in part, out of feedback it has received from the security community over the emotionally charged term "responsible disclosure."

"It makes sense to talk about vulnerability disclosure for what it really is and what works. So we're making a call to shift the way we talk about it ... to coordinated vulnerability disclosure," says Reavey, who posted a blog with this announcement.

If active attacks are exploiting an unpatched flaw, he says, then it makes sense to alert users about the bug. "We're making sure that we can coordinate the release of vulnerability details with a fix that's broadly available for all customers," Reavey says. "In an active attack, it's OK to release vulnerability details. This is a clear call to action for customers to know what to do. We did that recently with the Help Center issue and with the Shortcut files issue [in Windows]."

But Microsoft hasn't changed its stance against full disclosure, where a bug finder releases details of a flaw without the vendor getting a shot at patching it first. Reavey says Microsoft is, however, willing to work with researchers who go that route to work on a fix for the flaws they reveal publicly. "If someone has the mindset that they want to disclose fully [a vulnerability], we disagree because it's not best way to protect customers. But we still work with them," he says.

The software giant has been under pressure from security researchers who disagree with what had been Microsoft's traditional stance on responsible disclosure, where a bug finder hands over the discovery to the affected vendor, which then handles the fixes on its own timetable. A series of recent zero-day disclosures, including one from Google researcher Tavis Ormandy and then from a group of hackers calling themselves "Microsoft-Spurned Researcher Collective," brought the issue to fore: Microsoft took issue with Ormandy's handling of the disclosure, in which he reported the bug to Microsoft on June 5 and then went public with it four days later -- before the vendor was able to fix it.

Meanwhile, late yesterday Ormandy and other Google researchers issued a plea for speeding up vendors' patch turnaround times. "Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues," they blogged.

The Googlers contend it can be "irresponsible" for a flaw to remain unfixed over a long period of time -- sometimes years. The researchers for the search engine giant say from now on, they will set a disclosure deadline on any serious bug they report, and if the vendor doesn't fix it within that time frame, then they will publish an analysis of the bug as well as any workarounds. Researchers will also be able to set "an aggressive disclosure deadline where evidence exists that blackhats already have knowledge of a given bug," they said. "We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts."

Setting patch deadlines is something Microsoft doesn't support. Microsoft contends that patching is a delicate balance between quality and timeliness; it goes through an involved testing process before issuing a patch.

"The real reason we don't have a set deadline for fixing security issues is that there's not a one-size-fits-all for Microsoft or the industry," Reavey said in the interview. "We want to make sure when we put out an update for customers, it works."

And some patches take longer to fix than others due to the complexity of the flaw and how it could affect other software products, he says. "The ATL [Active Template Libraries] vulnerability took over a year to get fixed. It was a vulnerability that affected 89 Microsoft products and 37 third-party, non-Microsoft products," Reavey says. "The vulnerability itself was fairly straightforward, but when it involves multiple products, it took some time to get that out and fixed."

Meanwhile, the vulnerability reporting process to Microsoft basically stays the same with CVD, according to Reavey, including assigning a Microsoft security representative to work with the researcher throughout the life cycle of the bug and patching, for example.

The reality is no one party can tackle bugs and exploits by the bad guys, Reavey says. "With this complex landscape we have with cybercrime, no one vendor or person can solve this problem by themselves. The responsibility is to coordinate and get together as a community," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
Server-side request forgery (SSRF) vulnerability in feed-proxy.php in extjs 5.0.0.
PUBLISHED: 2020-01-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
PUBLISHED: 2020-01-23
A Symbolic Link (Symlink) Following vulnerability in the packaging of munge in SUSE SUSE Linux Enterprise Server 15; openSUSE Factory allowed local attackers to escalate privileges from user munge to root. This issue affects: SUSE SUSE Linux Enterprise Server 15 munge versions prior to 0.5.13-4.3.1....
PUBLISHED: 2020-01-23
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS.
PUBLISHED: 2020-01-23
In JFrog Artifactory 5.x and 6.x, insecure FreeMarker template processing leads to remote code execution, e.g., by modifying a .ssh/authorized_keys file. Patches are available for various versions between 5.11.8 and 6.16.0. The issue exists because use of the DefaultObjectWrapper class makes certain...