Microsoft Makes Major Shift In Disclosure Policy 65
Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.
Re:I don't get it? (Score:4, Interesting)
Switching the majority OS to GNU/Linux would have one immediate and obvious benefit: the source is widely available and widely modifiable. If we find a vulnerability, it can be diagnosed and patched immediately, without having to wait for a corporation's blessing. Hell, you don't even have to wait for the kernel team's blessing, or any other governing entity. Just post the patch and tell people about it!
It used to be clear that *nix systems were more secure, because they were actual multi-user systems. Nowadays, it's less clear. I'm certain a properly set up SELinux system is still miles more secure than Windows 7, but it's unlikely a common user will have that. However, even if there is no security advantage, I know this: Linux may not be more secure, but it is certainly easier to keep secure.
Re:I don't get it? (Score:3, Interesting)
I'm not saying it's the public's job to troubleshoot their shoddy code and develop fixes.
I'm just saying I feel it IS the public's responsibility not to make potentially dangerous information available to people with malicious intent.
I have no love for MS. I just feel everyone is better off with "Hey you morons, look at the latest exploit" instead of "Hey, general public including innumerable black hats, look at the latest exploit"
That does kind of depend quite heavily on the researcher being the first to find the vulnerability, and the vendor allocating enough people to adequately deal with fixing it in a timely manner.
Can you say with any real supportable evidence that either statement is a safe assumption? Because I know I can't. And to be honest, I doubt any researcher worth their title can either. Including the guy who I imagine kicked this new policy off by disclosing one he discovered when Microsoft were palming him off with vague answers for a week.
If the "people with malicious intent" already know about a vulnerability, which is a much safer assumption to make, and Microsoft are dragging their feet, because hiring enough good security people is expensive, is it not the researcher's duty to inform the general public? Who can then take steps to protect themselves while waiting for Microsoft to get around to making the patch available the next Patch Tuesday? After all.. We are vulnerable every second of every day to a host of unknown unreported vulnerabilities that any "black hat" could discover by themselves, and exploit for fun and profit. We can't be wary about exploits we are not aware of.
If a vulnerability is discovered, which do you think is faster to react? A company who knows the finder is not going to tell anybody, so they can take their time, or even ignore them completely.. Or a company who knows they better get right on it, or have a pretty nasty PR mess to clean up?
Who do you think has the bigger and more authoritative security team? One who has perhaps got the authority to say to marketing.. " No you bloody well will not do that. And I don't care how much easier it makes sharing your whole hard drive over the internet with aunty Gladys and her bridge team"!
As you sit there worrying about Microsoft possibly losing money, or having their reputation tarnished.. Or worst of all.. Having to increase the size of the security team.. Ask yourself this question..
"What would BP have done differently if the warnings they had earlier been given about the safety of the gulf rig were a matter of public record"?
http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=10652032 [nzherald.co.nz] (first one I came across on Google, not the first one I have read)