Microsoft to publish third-party bugs

By

Coordinated vulnerability disclosure system will take some bugs public.

Microsoft has started publishing details of third-party flaws as its security policy continues to evolve.

Microsoft to publish third-party bugs

Last year, Microsoft unveiled its coordinated vulnerability disclosure (CVD), designed to bridge the ground between public disclosure and responsible disclosure - and stop suggesting anything other than the latter was "irresponsible" by default.

Under its new policy, Microsoft will publish vulnerabilities that its staff uncover in third-party software, preferably after the flaws have been patched.

The first two flaws to be published are in browsers, one in Chrome, another in Chrome and Opera. Both flaws have been fixed; they affected version six and eight of Google's browser, suggesting Microsoft has let months lapse before going public, as Chrome is now on version 10.

Indeed, Microsoft isn't giving a deadline to other software developers. "Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the Microsoft Vulnerability Research program unless there is significant evidence of active attacks in the wild," the company said.

"If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor."

Google's security team publishes third-party vulnerabilities 60 days after alerting the developer.

Microsoft's general manager for Trustworthy Computing, Matt Thomlinson, said his firm hoped others would adopt its system.

"Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem," he said in a blog post.

"By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimise customer risk while a solution is developed."

This article originally appeared at pcpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?