Coordinated Vulnerability Disclosure Reloaded

Today on the MSRC Blog, Matt Thomlinson announced three new efforts to provide more transparency into Microsoft’s vulnerability disclosure process.  These included a Coordinated Vulnerability Disclosure (CVD) at Microsoft procedures document, the first release of MSVR Advisories on vulnerabilities that were discovered by Microsoft and fixed by affected vendors, and an internal employee disclosure policy.

The vulnerability disclosure debate has continued over the years with all sides seeking the best way to protect users.  We believe the best way to improve software security is through comprehensive Security Development Lifecycle (SDL) programs that build security into software from the very beginning.   For vulnerabilities that remain after software is released, we feel that disclosure of vulnerability details should be done in a way that allows vendors an opportunity to address the issues without amplifying risk.

In our experience as finders and coordinators, we know that disclosing vulnerabilities to a vendor can be a complex process. This is why we developed the Microsoft Vulnerability Research (MSVR) program as a way for our employees to report vulnerabilities they find to affected vendors.

We understand that there are differing approaches to vulnerability disclosure.  Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.

We’ve listened to the security community, including security researchers, vendors and CERTs, in documenting our approach to disclosure.  We’d like to thank the following people for reviewing our Coordinated Vulnerability Disclosure at Microsoft document. If you have comments or opinions, we’d like to hear from you. Please follow us on Twitter at @msftsecresponse or me at @k8em0.

– Katie Moussouris, Senior Security Strategist, MSRC

Microsoft thanks the following people for reviewing our Coordinated Vulnerability Disclosure procedures document:

Bryan Burns, Distinguished Engineer, Juniper Networks

Arturo ‘Buanzo’ Busleiman, Independent Security Consultant

Steve Christey, CVE Editor, MITRE

Dave Dittrich, Security Engineer/Researcher, Applied Physics Laboratory, University of Washington

Jussi Eronen, Infosec adviser, CERT-FI

Ian Glover, President, Council of Registered Ethical Security Testers (CREST)

Jake Kouns, CEO, Open Security Foundation

Zach Lanier, Intrepidus Group

Marc Maiffret, Chief Technology Officer, eEye Digital Security

Art Manion, CERT Vulnerability Analysis Team

Steve Manzuik, Director of Security Research, Leviathan Security Group

Charlie Miller, Independent Security Evaluators

Toshio Miyachi, Board Member, JPCERT Coordination Center

Bruce Monroe, Senior Information Security Specialist, Intel

Mike Prosser, Symantec Product Security Team

Ryan Permeh, Manager of Product Security, McAfee

Marsh Ray, Senior Software Development Engineer, Phonefactor

Russell Smoak, Sr Director / GM Security Research and Operations, CISCO Services

Chris Wysopal, Chief Technology Officer, Veracode