Coordinated Vulnerability Disclosure

Microsoft subscribes to coordinated Vulnerability Disclosure, and I am a proponent of this process.  This is much like what I described in an earlier rant and have been professing for years.  It seems to be unpopular with some vulnerability researchers, as it does not provide a direct and immediate cash payout, or the extreme notoriety that irresponsible disclosure often provides.

Check out Microsoft’s article, and great little video that explains the whole process, or just read the excerpt below if you don’t have the time…

Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product, to a national CERT or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress.

Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to protect themselves.

For more information on CVD, download the document, Coordinated Vulnerability Disclosure at Microsoft.  Once again I am pleasantly surprised to be saying, Thank You Microsoft, for sharing and caring.