Microsoft tells staff to report flaws in third-party software

Microsoft has told staff to report any bugs they find in third-party software as part of a drive to increase the company's engagement with the security industry.

Any bugs found internally in non-Microsoft products will be reported to Microsoft Vulnerability Research (MSVR), which will contact other software vendors to sort out remediation and patching for the affected software.

However, Microsoft warned that the flaw will be disclosed if a company does not respond to the report, and every other attempt to contact them has failed.

"After a product or service is released, we feel security is a shared responsibility across the broad community," said Matt Thomlinson, Microsoft's Trustworthy Computing security general manager.

"Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem. By working together through co-ordinated efforts when vulnerabilities are identified, we can effectively minimise customer risk while a solution is developed."

Under the MSVR policy, announced as Co-ordinated Vulnerability Disclosure last year, Microsoft has released information on two flaws in Google's Chrome browser and a single problem with Opera as part of a move towards fuller disclosure of software vulnerabilities.

The flaws include a vulnerability in versions of Chrome prior to the 6.0.472.59 build that allowed remote code execution in the browser's sandboxed area. Chrome 8.0.552.210 and earlier, and Opera 10.62 and earlier, were also vulnerable to an HTML5 vulnerability.

Microsoft has been taking increasing steps to integrate with the security industry, and follows HP/TippingPoint in having shifted to sharing vulnerabilities sooner rather than later, even if patches do not exist.