Microsoft to publish third-party bugs

By

Coordinated vulnerability disclosure system will take some bugs public.

Microsoft has started publishing details of third-party flaws as its security policy continues to evolve.

Microsoft to publish third-party bugs

Last year, Microsoft unveiled its coordinated vulnerability disclosure (CVD), designed to bridge the ground between public disclosure and responsible disclosure - and stop suggesting anything other than the latter was "irresponsible" by default.

Under its new policy, Microsoft will publish vulnerabilities that its staff uncover in third-party software, preferably after the flaws have been patched.

The first two flaws to be published are in browsers, one in Chrome, another in Chrome and Opera. Both flaws have been fixed; they affected version six and eight of Google's browser, suggesting Microsoft has let months lapse before going public, as Chrome is now on version 10.

Indeed, Microsoft isn't giving a deadline to other software developers. "Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the Microsoft Vulnerability Research program unless there is significant evidence of active attacks in the wild," the company said.

"If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor."

Google's security team publishes third-party vulnerabilities 60 days after alerting the developer.

Microsoft's general manager for Trustworthy Computing, Matt Thomlinson, said his firm hoped others would adopt its system.

"Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem," he said in a blog post.

"By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimise customer risk while a solution is developed."

This article originally appeared at pcpro.co.uk

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © Alphr, Dennis Publishing
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?