Microsoft to publish third-party bugs

Microsoft has started publishing details of third-party flaws as its security policy continues to evolve.

Last year, Microsoft unveiled its coordinated vulnerability disclosure (CVD), designed to bridge the ground between public disclosure and responsible disclosure - and stop suggesting anything other than the latter was "irresponsible" by default.

Under its new policy, Microsoft will publish vulnerabilities that its staff uncover in third-party software, preferably after the flaws have been patched.

The first two flaws to be published are in browsers, one in Chrome, another in Chrome and Opera. Both flaws have been fixed; they affected version six and eight of Google's browser, suggesting Microsoft has let months lapse before going public, as Chrome is now on version 10.

Indeed, Microsoft isn't giving a deadline to other software developers. "Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the Microsoft Vulnerability Research program unless there is significant evidence of active attacks in the wild," the company said.

"If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor."

Google's security team publishes third-party vulnerabilities 60 days after alerting the developer.

Microsoft's general manager for Trustworthy Computing, Matt Thomlinson, said his firm hoped others would adopt its system.

"Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem," he said in a blog post.

"By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimise customer risk while a solution is developed."

This article originally appeared at pcpro.co.uk