Microsoft Amends Policy on Reporting Security Flaws

Microsoft has changed the its guidelines for reporting security flaws. It's a move that could bring Adobe into an industry-wide collaboration to share information about security risks.

From now on, Microsoft will no longer urge security researchers to follow a "responsible disclosure" policy, in which it asked those who discovered flaws to keep them completely under wraps until a full fix had been found, tested and readied for distribution.

Many security experts have claimed such a policy delayed Microsoft's response to security threats. They also felt not being able to talk about bugs made it hard to collaborate with others in the security community to develop possible solutions.

A Coordinated Vulnerability Disclosure

Microsoft is now proposing a concept it dubs "Coordinated Vulnerability Disclosure". The company vows to work with security researchers to develop fixes for the bugs they discover. In return, it won't object if they speak out earlier in the process. (Source: arstechnica.com)

Microsoft still requests researchers not publish "proof of concept" code without its approval. Such code is used by researchers to show that a bug could genuinely be exploited, but Microsoft feels it gives too much detail to would-be hackers.

The change of approach may have been prompted by the recent discovery of a bug by Google's Tavis Ormandy, who publicized details five days after telling Microsoft. He was accused of irresponsible behavior by the Redmond-based firm, but said Microsoft had refused to commit to tackling the bug within two months and that going public was the only way to force the company to act.

Adobe Joins Security Partnership

Microsoft has also signed up Adobe to its Active Protections Program. This scheme has around 65 members, mainly manufacturers of security software like antivirus packages.

As part of the scheme, Microsoft gives the members advance access to its forthcoming security updates on a confidential basis. This allows them to make sure their products are up-to-date when Microsoft goes public, which is usually followed by an immediate increase in the number of attacks.

Adobe will receive this information but, more significantly, has also agreed to use the scheme to distribute details of its own security fixes. The partnership builds on a previous Adobe decision to publish its scheduled security updates to coincide with those issued by Microsoft. (Source: microsoft.com)