Calling the term “responsible disclosure” too subjective, Microsoft on Thursday announced a new initiative around vulnerability reporting that seeks to align efforts between researchers and vendors.
Labeling the practice “coordinated vulnerability disclosure,” Microsoft is hoping to silence the ongoing debate over how software, hardware and service flaws are reported to vendors by researchers — and how both parties should appropriately respond. The issue came to head recently when a Google researcher, in a post on Full Disclosure, released details about a Windows vulnerability after he was unable to negotiate a timeline for a fix with Microsoft.
“[W]e believe that the community mindset needs to shift, framing a key point — that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers,” Matt Thomlinson, general manager of security at Microsoft’s Trustworthy Computing group, wrote in a blog post Thursday. “Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors.”
The proposed process is not too dissimilar to how vulnerability submissions typically have played out.
Microsoft suggests that newly discovered flaws be reported privately to the affected vendor. As an alternative, researchers can take their discoveries to coordinators such as CERT/CC or to a private service that offers payment for submissions, such as TippingPoint’s Zero Day Initiative or VeriSign’s iDefense. These entities would privately notify the impacted vendor.
The submitter then should allow the vendor time to confirm the bug and offer corrective actions, such as patches or workarounds, according to Microsoft.
“If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and the vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves,” Thomlinson said.
Dino Dai Zovi, an independent security researcher based in New York, told SCMagazineUS.com on Thursday that he was happy to see Microsoft do away with “responsible disclosure,” a moniker that gained widespread acceptance throughout the security industry but seemed to imply that if one wasn’t doing it the Microsoft way, he or she was doing it the wrong way.
“I think it presupposes that anything else is not responsible,” Dai Zovi said. “Coordinated disclosure is more descriptive, less judgmental and describes what the process is.”
However, Dai Zovi said Microsoft still has a long way to go. For example, he said the software giant does not offer a bounty program for bug discoveries, like Google and Mozilla do, nor does the company require that fixes be issued in a specified period of time. This, he said, is the difference between those providers that are “actively inviting” vulnerabilities versus “passively responding” to them.
“Their policies were shaped by a different era,” Dai Zovi said. “Back then, you didn’t have both widespread and targeted zero-day attacks. I think that encountering these new developments requires a change in policy.”
The announcement from Microsoft comes two days after Google chimed in on the disclosure issue, suggesting new guidelines that all vendors should patch bugs within 60 days. If they fail to meet the agreed-upon deadline, or if they fail to address the issue, the researcher has the right to disclose details about the vulnerability in question.
Chris Wysopal, CTO of application security provider Veracode said that all too often, vendors are the ones calling the shots.
“I think the biggest issue that finders or researchers have is the timeline,” he told SCMagazineUS.com on Thursday. “I could tell you that most researchers are frustrated with vendors for taking what seems to be too long of a time.”
Wysopal, who joined more than a dozen other industry experts in consulting with Microsoft on the announcement, said Veracode research has determined that fixes to open-source software are on average delivered twice as fast as for commercial products.
“I think that goes to show you that vendors can develop and come up with fixes faster,” he said. “The only way that can happen is if customers put pressure on the vendors.”
As part of its new initiative, Microsoft did not offer a maximum deadline for patches to be issued.
Instead, “finders and vendors should try to agree to a timeline for fixing the issue,” wrote Katie Moussouris, senior security strategist at Microsoft, in a separate blog post.
“Complex cases may take longer to fix, and Microsoft will be as transparent about our investigation with finders as we can be, to let them know where we are in the investigation and resolution process,” she wrote. “We appreciate finders being flexible when we share information with them about why a fix may take longer than the finder thinks it should.”
For Microsoft, the main priority is preventing researchers from publicly publishing details about a security issue prior to customers being offered protection.
“As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk — not amplifying it,” Thomlinson wrote. “This distinction is critical.”