Under the new policy, Microsoft will publish vulnerabilities that its staff uncover in third-party software and problems discovered by outside researchers and reported to the Microsoft Security Response Center.
Matt Thomlinson, general manager at Microsoft’s Trustworthy Computing Security, explained that the company is “providing more transparency and insight into our disclosure philosophy by announcing three updates to our disclosure practices – a CVD [Coordinated Vulnerability Disclosure] at Microsoft document, MSVR [Microsoft Vulnerability Research] Advisories, and our internal corporate Disclosure of Vulnerabilities policy.”
The CVD document “clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors”, Thomlinson said.
The MSVR advisories will disclose vulnerabilities discovered by the company in third-party vendor products. Microsoft stressed that it will not disclose vulnerabilities until the vendor has been notified and a fix is available.
To kick off the effort, Microsoft issued advisories about flaws that staff found in Chrome version 6 and Chrome version 8 and Opera version 10.6. Apparently Microsoft is not going for timeliness, since Chrome is currently in version 10.
The internal corporate vulnerability disclosure policy outlines protocols for employees to follow when a third-party product vulnerability is discovered, including timely reporting of discoveries.
“After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem”, Thomlinson concluded.