Today, Microsoft released an update to their Coordinated Vulnerability Disclosure (CVD) program.  The CVD program aims to streamline the practice for vulnerabilities in how they are disclosed, addressed by the vendor and coordinated with security researchers.

For some time now, there has been a massive and quite ugly debate over Responsible Disclosure versus Full Disclosure when it comes to software vulnerabilities.  The main difference between the two comes down to how and when software vulnerabilities are disclosed to the public.  If a vulnerability is disclosed before a vendor can patch the flaw, the vulnerability is considered a Full Disclosure vulnerability.

I am not going to say what side of the argument I have been on to this point as this shift in Microsoft’s philosophy has changed my stance on the subject.  A change is needed in the security industry on vulnerabilities, and Microsoft is stepping up to the challenge of bringing the security community together.  This effort to truly coordinate the disclosure of vulnerabilities is a turning point in software security and I am not surprised Microsoft is taking the lead.

First, Microsoft has released the Coordinated Vulnerability Disclosure at Microsoft documentation surrounding policies and procedures for vulnerabilities.  This document fully described the steps and actions Microsoft is going to take in regards to vulnerabilities.  The document is very thorough and definitely worth reading.

Second, Microsoft is making the effort to work with third-party (non-Microsoft) vendors and security researchers to close the gap on vulnerability disclosure.  This has been one of the challenges to date on the vulnerability disclosure subject.  Working cooperatively with both vendors and researchers, the MSVR group will utilize their resources to jointly work on issues that affect multiple vendors.

In this joint effort, Microsoft will now be supplying “Microsoft Vulnerability Research Advisories” (MSVR).  These advisories will be published when a resolution to a vulnerability has been addressed by the affected vendor.

Already today, The MSVR program is already showing the value of working together with vulnerabilities as they just released two new “Microsoft Vulnerability Research Advisories.” 

MSVR11-001
- Affecting Google Chrome

MSVR11-002
- Affecting Google Chrome and Opera

In both cases, Microsoft researchers found vulnerabilities in third-party software.  Microsoft worked with all affected software vendors by supplying information confidential to the vendors and coordinating a release effort with both.  After both vendors supplied patches for the vulnerability, Microsoft released the security advisories.  The advisories are very similar to Microsoft Security Advisories (advisories that apply to Microsoft products).  The advisories include the following information:

• CVE Information
• The severity of the vulnerability
• How the vulnerability might be attacked
• What could happen if the vulnerability is attacked
• Suggested actions or workaround

At the end of the day, researchers and software vendors, whether Microsoft or non-Microsoft, are all on the same side when it comes to vulnerabilities and protecting systems.  This update of the CVD program at Microsoft should just be the little push in the back the industry needs to get a leg up on attackers exploiting zero-day vulnerabilities.

- Jason Miller