Microsoft responds to Google on flaw fix delays

REPORTING VULNERABILITIES and how they should be reported needs to change says Microsoft, days after Google asked questions on whether ‘responsible disclosure’ was working.

In a blog post on Tuesday, the Google Security Team questioned whether responsible disclosure, which means privately informing software vendors about vulnerabilities, is working.

The vendor would address the problem at a later date, with the researcher revealing the details then or after that date. But Google said the reference to ‘responsibility’ was a misnomer - it left the way open for vendors to delay fixes indefinitely, sometimes for years.

Most vendors like Microsoft are in favour of this so-called responsible disclosure, but others feel that ‘full disclosure’, where full details of a flaw are made available to everybody simultaneously, is better because it makes vendors have to fix the problem.

So to keep a balance and make sure that all involved are working on the same page, Microsoft has changed its policy of responsible disclosure to ‘coordinated vulnerability disclosure’.

In practice, this means that the finder of the bug will disclose to the affected vendor the problem privately to give it an opportunity to fix the problem. But they also work together to make sure the issue is actually fixed.

It’s not a huge step away from the original principle and if it works it should mean delays to security vulnerability fixing will become a thing of the past. µ