Microsoft Makes Major Shift In Disclosure Policy - Slashdot

Slashdot

Microsoft Makes Major Shift In Disclosure Policy 65

Posted by timothy on Thursday July 22 2010, @03:02PM
from the tread-water-faster dept.

Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

This discussion has been archived. No new comments can be posted.

Microsoft Makes Major Shift In Disclosure Policy

Search 65 Comments Log In/Create an Account

Comments Filter:

Good luck getting Apple to agree (Score:5, Informative)

by Anonymous Coward writes: on Thursday July 22 2010, @03:25PM (#32994486)

Posting anonymously for obvious reasons. What happens today if one emails Apple's product security team (product-security@apple.com)? A few things. First, you get a generic pre-generated email that acknowledges that Apple received your email. Next, if you're lucky, you get an email from an analyst who has reviewed your vulnerability. What happens next? 1) No updates are provided. Ever. 2) If you ask for an update as to when the vulnerability will be fixed, you will not get a detailed response. 3) Apple waits several months. 4) Apple waits several months. 5) Apple fixes the bug, possibly. 6) You get an email from Apple asking how you want to be credited. 7) If you're lucky, Apple will send you an email with notification on when they're planning to fix the issue, along with the exact wording of the specific advisory. 8) If you're lucky, Apple will fix the advisory in the week they say they will. 9) Normally, the date will slip a few weeks. Or maybe a month. I applaud Microsoft for doing this. Hopefully Apple will follow suit and move out from the stone ages.

Share
twitter facebook

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

477 commentsYour Passwords Don't Suck — It's Your Policies
418 commentsFBI Says American Universities Infiltrated by Spies
391 commentsAdobe Introduces the Paid Security Fix
343 commentsSymantec: Religious Sites "Riskier Than Porn For Viruses"
333 commentsOsama Bin Laden Didn't Encrypt His Files

The disks are getting full; purge a file today.