Microsoft renames responsible disclosure
By Nicole Kobie
Posted on 23 Jul 2010 at 09:24
Microsoft has called for security researchers to stop using the term "responsible disclosure" in favour of "coordinated vulnerability disclosure".
The new phrasing comes as part of an ongoing debate between Microsoft and Google regarding disclosure in the security industry, which kicked off when a researcher working for the web search giant published a flaw in Windows Support just days after alerting Microsoft.
CVD does not represent a huge departure from the current definition of responsible disclosure
Google this week said it would support a 60-day time limit for companies to respond to security researchers' discoveries - admitting the phrase responsible disclosure was emotionally charged and not always more "responsible" than full disclosure.
Microsoft has now weighed in, backed by a host of tech firms including Cisco, Intel and Symantec.
Under CVD, researchers would privately report flaws they find to vendors and give them time to develop a patch or workaround. If attacks were already using the flaw, some details could be disclosed "with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves," said Matt Thomlinson, general manager of Trustworthy Computing, on Microsoft's security blog.
However, Microsoft admitted its new way of thinking is little more than a name change. "CVD does not represent a huge departure from the current definition of 'responsible disclosure,' and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk," said Thomlinson.
It called on the rest of the security industry to adopt the new system, saying everyone needs to work together to keep users safe. "We recognise it's possible that very limited attacks may be happening without our knowledge," Thomlinson added. "However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly."
From around the web
advertisement
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
advertisement
Printed from www.pcpro.co.uk