Microsoft announced today a change in the way they will be handling vulnerability disclosures with the Coordinated Vulnerability Disclosure (CVD) program.  This is a very interesting article.

Microsoft is coming out and saying the way vendors and security researchers are handling vulnerability disclosures is just not working and is in need of a major overhaul.  I wholeheartedly agree with this.  There has been too much finger pointing between vendors and security researchers.  Microsoft couldn’t have said it better:

Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors. Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem. 

In the end, vulnerabilities being disclosed before a solution is available is putting everyone at risk.  I am sure attackers have been chuckling at the “responsible disclosure” debate for years.  Let’s hope that the new CVD program helps mitigate zero-day exploits (and soon).

- Jason Miller