Microsoft renames responsible disclosure
By Nicole Kobie
Posted on 23 Jul 2010 at 09:24
Microsoft has called for security researchers to stop using the term "responsible disclosure" in favour of "coordinated vulnerability disclosure".
The new phrasing comes as part of an ongoing debate between Microsoft and Google regarding disclosure in the security industry, which kicked off when a researcher working for the web search giant published a flaw in Windows Support just days after alerting Microsoft.
CVD does not represent a huge departure from the current definition of responsible disclosure
Google this week said it would support a 60-day time limit for companies to respond to security researchers' discoveries - admitting the phrase responsible disclosure was emotionally charged and not always more "responsible" than full disclosure.
Microsoft has now weighed in, backed by a host of tech firms including Cisco, Intel and Symantec.
Under CVD, researchers would privately report flaws they find to vendors and give them time to develop a patch or workaround. If attacks were already using the flaw, some details could be disclosed "with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves," said Matt Thomlinson, general manager of Trustworthy Computing, on Microsoft's security blog.
However, Microsoft admitted its new way of thinking is little more than a name change. "CVD does not represent a huge departure from the current definition of 'responsible disclosure,' and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk," said Thomlinson.
It called on the rest of the security industry to adopt the new system, saying everyone needs to work together to keep users safe. "We recognise it's possible that very limited attacks may be happening without our knowledge," Thomlinson added. "However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly."
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
