Forgot your password?
typodupeerror
Microsoft Security Software IT

Microsoft Makes Major Shift In Disclosure Policy 65

Posted by timothy
from the tread-water-faster dept.
Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.
This discussion has been archived. No new comments can be posted.

Microsoft Makes Major Shift In Disclosure Policy

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn.gmail@com> on Thursday July 22, 2010 @03:02PM (#32994146) Journal
    In response to the second step in the Coordinated Vulnerability Disclosure ("Step 2: Hurry Up and Wait"), I've printed several copies of the CVD on quadruple ply tissue paper and stocked all the restrooms with it. I've also prepared a special four course meal for Mr. Ormandy [slashdot.org] consisting of Taco Bell, a cup of coffee, a cigarette and a spoonful of castor oil.

    Mr. Ormandy, I think you know what to do. I really found it amusing that they called the blog posting "Bringing Balance to the Force" when it looks to be completely defined by Microsoft with little or no input from the community.
    • "Same old sh_t, different day."

    • by BatGnat (1568391)
      How may Microsoft technicians does it take to change a light bulb?

      None, They just redefine darkness as the new standard.....

      I love that one...
      • How may Microsoft technicians does it take to change a light bulb?
        None, They just redefine darkness as the new standard.....
        I love that one...

        The day Microsoft builds a product that doesn't suck is the day they build a vacuum cleaner.

        I love that one more...

  • I guess they achieved their ends and I wonder if Microsoft will be collaborating with the MSRC in the future. :rolleyes

  • Following Google (Score:4, Insightful)

    by SiChemist (575005) on Thursday July 22, 2010 @03:16PM (#32994330) Homepage

    Looks like Google's policy announcement from July 20 [slashdot.org] rattled some MS cages.

    • by b4dc0d3r (1268512)

      Still no apology to Tavis Ormandy. Even though they basically admitted he was right.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        How does giving a company 5 days to fix an exploit right? If anything this looks like an effort by MS to get the researchers to agree to work with MS so that the details aren't released before a patch is ready. What possible reason is there for releasing this stuff anyway? Does it make anyone safer? Unlikely. Most people don't care enough about security in the first place. All the early release of the exploit does is give lazy hackers more ammunition. Cause let's face it even if MS fixed these within 24 hou

        • What possible reason is there for releasing this stuff anyway? Does it make anyone safer? Unlikely.
           
          On the contrary, the answer is "possibly". If I know the nature of a security hole in Program X, I might be able to find a way to substitute, sandbox or discontinue Program X in my own workflow and thereby become safer.

      • by bloodhawk (813939)
        Quite the reverse, both googles and Microsoft's policy announcements basically condemn the prick act performed by Ormandy.
  • motivation (Score:5, Insightful)

    by Lord Ender (156273) on Thursday July 22, 2010 @03:16PM (#32994342) Homepage

    What is the researcher's motivation to spend the extra time working with Microsoft? They certainly have no obligation to do anything Microsoft asks...

    Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Even with $40+ billion in the bank, MS would go broke really quickly with that model...

      [/snarky]

    • by Anonymous Coward on Thursday July 22, 2010 @03:38PM (#32994660)

      Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.

      There's a fundamental problem with your comparisons. When a security bug is released in Firefox you see the Mozilla Foundation marvel at the cleverness of the attack. Then a distributed net of individuals quickly work together in an agile way to get the hotfix out and then sometime is spent testing and hardening that fix. When a security bug is released targeting Chrome or any of Google's products, you see Google developers that are comfortable on their campuses swing long hours and work together to push out a fix as quickly as possible. These are all sensible approaches to security bugs.

      With Microsoft, however, you see the heavy thudding of a big corporation. You see a complex inner working of management slow things down. Somebody might ask for an estimate on how much money this is going to cost and that estimate comes back a week later. Senior management starts shredding documents. Engineers start falling from helicopters in Redmond. A tornado of chairs leaves several injured. Microsoft's campus looks like the superdome following Katrina. People are chained to their desks. The reason they ask for 60 days is because that's how long it takes FEMA aid to reach Microsoft ...

      You just can't compare the two ...

      • funny + insightful = +1 funful

      • IOW: MS is too big to turn on a dime.
        MS has become what they were striving to replace: IBM.

        • MS has become what they were striving to replace: IBM.

          They've done what they've set out to do, then?

          Or did you mean to throw in that they didn't want to be like IBM.

        • Re: (Score:3, Insightful)

          by tlhIngan (30335)

          IOW: MS is too big to turn on a dime.
          MS has become what they were striving to replace: IBM.

          More like they can't. A problem may be a simple fix inside a problem module, but it's also got to go through rounds of testing to make sure that simple fix actually doesn't break anything. After all, even doing stuff like implementing LUA showed how badly things broke (see Vista).

          The problem when you're the giant is you attract all the developers. The problem is, most developers write crap for code, and do things they

        • Re: (Score:3, Insightful)

          by DragonWriter (970822)

          IOW: MS is too big to turn on a dime.

          Except that scale is not the fundamental problem, organizational culture is.

        • by sharkey (16670)

          IOW: MS is too big to turn on a dime.

          That's right. MS sells software FOR the agile business, not software WRITTEN BY an agile business.

      • by caluml (551744)

        With Microsoft, however, you see the heavy thudding of a big corporation. You see a complex inner working of management slow things down. Somebody might ask for an estimate on how much money this is going to cost and that estimate comes back a week later. Senior management starts shredding documents

        Honestly? Really? You don't think they have high/critical priority bugs, which get instant visibility right up the escalation tree, managers pushing the rest of the people to get a fix quickly? I've worked for some "big corporations", and when the shit hits the fan, the pressure from above increases immensely. Everyone mucks in, works long hours, gets stuff done.

        Big companies can sometimes take a long time to change direction, or "get it" - but when it's something as fundamental as a very large security hol

    • by pgn674 (995941)

      This video may provide some insight:

      YouTube - Clay Shirky: How cognitive surplus will change the world [youtube.com]

      Bug finders are both producers and consumers of the entire actions and consequences in the process. Finding and reporting security bugs is a civic action (as opposed to a communal one). Having the bargain for this action be based on economics instead of social rewards and punishments may have an adverse affect. So, it may be possible that people who get paid for reporting the bugs may feel that they have

  • by Local ID10T (790134) <ID10T.L.USER@gmail.com> on Thursday July 22, 2010 @03:17PM (#32994346) Homepage

    So they are formalizing common sense into a policy.

    It is a lot better than the previous formal policy of bat-shit crazy.

  • I've never discovered a vulnerability in Windows or anything else, but if I did I'd be fine to sit it for as long as needed, as long as Microsoft got back to me and said "Yeah, we're working on it, here's when you can expect a fix." What's maddening (and actually Microsoft seems to be good about this, it's Apple and Oracle that are the worst offenders) is when someone sends a bug report into a black hole, never hearing anything from the company for months and months. At that point, I see no reason why the r
    • amen. Ahem, why is this flamebait?

    • by Yvanhoe (564877)
      You found a vulnerability.
      You know your bank, your hospital, your tax center has it.
      You know that there is an option to deactivate as a workaround.
      You know that many people are actively searcging for this kind of vulnerabilities and it may be exploited right now.
      And you see Microsoft claiming their product is the best and the most secure everywhere.

      You can wait, yes, but I am unsure of the more responsible way of acting.
  • by Anonymous Coward on Thursday July 22, 2010 @03:25PM (#32994486)
    Posting anonymously for obvious reasons. What happens today if one emails Apple's product security team (product-security@apple.com)? A few things. First, you get a generic pre-generated email that acknowledges that Apple received your email. Next, if you're lucky, you get an email from an analyst who has reviewed your vulnerability. What happens next? 1) No updates are provided. Ever. 2) If you ask for an update as to when the vulnerability will be fixed, you will not get a detailed response. 3) Apple waits several months. 4) Apple waits several months. 5) Apple fixes the bug, possibly. 6) You get an email from Apple asking how you want to be credited. 7) If you're lucky, Apple will send you an email with notification on when they're planning to fix the issue, along with the exact wording of the specific advisory. 8) If you're lucky, Apple will fix the advisory in the week they say they will. 9) Normally, the date will slip a few weeks. Or maybe a month. I applaud Microsoft for doing this. Hopefully Apple will follow suit and move out from the stone ages.
  • About time...
  • If I happened to run across a vulnerability tomorrow I might be inclined and would likely publish it that very day. Microsoft assumes I care for the well being of them and their customers when really I don't. I know this is aimed more at security researchers but then again they may very well feel the same way.

  • by Ancient_Hacker (751168) on Thursday July 22, 2010 @05:04PM (#32996024)

    Here's a radical idea: How's about they don't release code tons of fresh code every cycle, and instead maybe check the code over first for buffer overflows, NULL pointer abuse, heap munging, and all the other obvious ways of executing code?

    Just sayin'

  • by AlgorithMan (937244) on Thursday July 22, 2010 @05:30PM (#32996386) Homepage
    OSS: find a bug, fix it (because you can), submit code changes

    CSS: find a bug, see a lawyer, contact a CERT, wait several weeks for a response, sign an NDA, share vulnerability informations, wait 2 months, ask for status, wait for an answer for 4 more months, realize that the vendor will do squat about the vulnerability as long as his customers don't know how threatened they are, release the infos to the public to put pressure on the vendor, be threatened by the vendors lawyers, be called a criminal by the vendors customers and the press and politics, have a house-search, wait 2 more months, get patch, realize that it doesn't fix the problem, rinse and repeat
  • I am very curious how Microsoft defines "ample time" especially considering some of their vulnerabilities (like the one recently "patched" in the DOS subsystem) have existed for years or decades.

    This isn't a slam at Microsoft, it's a hope that someone has some clarification that can be used as a context to determine if this statement means anything. Even when the terms of their statements are less ambiguous, they seem to find ways of backpedalling - thus greater clarity on something so very ambiguous is w

    • LoL, someone who doesn't know much about computers got mod points. One can choose not to like the truth, but, as even Microsoft themselves admitted, this is NOT a change in policy - it's a change in NAME only.

    • by Dan Ost (415913)

      Why is this modded "troll"?

      "Insightful" is more appropriate. Near as I can tell, this post is dead on.

  • All they did was rename it:

    "[CVD] is the same thing as responsible disclosure, just renamed," repeated Reavey. "When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand, which is to make sure customers are protected, and that attacks are not amplified."

    http://www.computerworld.com/s/article/9179546/Drop_responsible_from_bug_disclosures_Microsoft_urges [computerworld.com]

COMPASS [for the CDC-6000 series] is the sort of assembler one expects from a corporation whose president codes in octal. -- J.N. Gray

Working...