Microsoft changes policy on vulnerability disclosures

Microsoft advocates a responsible and co-ordinated vulnerability disclosure system

Microsoft has modified its way of dealing with security researchers in an attempt to make the process of finding and fixing flaws easier and more secure.

The industry is currently debating the merits of full disclosure, where flaw information is published before a patch is available, and responsible disclosure, where news is held back until a patch is available.

"Most vendors, including Microsoft, are in favour of responsible disclosure, while finders fall across the spectrum from full to responsible," said Katie Moussouris, senior security strategist at Microsoft, in a blog post that has drawn the support of some of the biggest names in the industry.

"Responsible disclosure should be deprecated in favour of something focused on getting the job done, which is to improve security and to protect users and systems."

Microsoft's planned Coordinated Vulnerability Disclosure system will be broadly similar to current responsible disclosure systems, but with the caveat that, if attacks are discovered in the wild, Microsoft and researchers will announce the problem and publish any available workarounds.

Moussouris explained that, while Microsoft disagrees with the full disclosure advocates, the firm still wants to work with researchers who operate under those principles so that any announcement can be co-ordinated.

"It is evident from listening to those on both extremes of the disclosure argument that there is one thing that we are all trying to do: protect customers," said Matt Thomlinson, general manager of security at Trustworthy Computing, in a blog post.

"We've been working with the security community closely for years to co-ordinate our actions for the benefit of customers. Co-ordinated vulnerability disclosure will help keep users safe."