Microsoft updates "coordinated" bug program

Microsoft has announced new components to its Coordinated Vulnerability Disclosure program, unveiled last summer to enhance transparency around the discovery, response and handling of security flaws.

Among the updates, announced Wednesday, Microsoft released a document that describes how Microsoft responds to bugs that researchers report to the software giant. The paper also chronicles the procedures Microsoft takes when it discovers a vulnerability in a third-party product, in addition to how it helps lead coordination if a vulnerability affects multiple vendors, so to minimize end-user harm.

Also as part of its Wednesday announcement, Microsoft, for the first time, released advisories related to bugs its research team has discovered in third-party products. The holes, already fixed, affected the Google Chrome and Opera browsers.

In the document, Microsoft explains how it goes about notifying and working with impacted vendors, such as Google or Opera. It begins by reporting the issue to the vendor and asking for periodic updates, for example, an estimate for when a patch will be ready.

"Under no circumstances will Microsoft release details of an unpatched vulnerability unless evidence of public attacks exist," said the report.

If a vendor fails to respond to Microsoft, the company "will then leverage existing contacts, business relationships, industry associations, or other connections with the vendor in order to help solicit a response. Only as a last resort, and after exhausting multiple various avenues and approaches for contact, will (Microsoft) consider a vendor to be nonresponsive."

Microsoft would then consider reporting details of the flaw if it becomes publicly known.