Vulnerability Disclosure to Compete?

  • Article

As you know (I stress that fairly often Smile), I am Swiss. The reason why I am stressing this today is that I want to give you an example on security from the Swiss market: The banks here on place compete with each other – obviously. However, I have never seen the banks competing on security. They never use for example new authentication schemes in eBanking to compete. There is nothing like “our eBank is more secure than our competitor's” or “have you seen, our competitor was just successfully phished”. The reason for that is fairly simple: The whole banking system will lose as trust will erode in the ecosystem as such if they start to blame each other and this is not to the advantage of all the banks.

Why do I tell you this? Well, as you know, we at Microsoft are promoting responsible disclosure of vulnerabilities since years. We do not buy vulnerabilities and if we find vulnerabilities in third party products, we let the vendor know and help them to fix the issue. This is to protect the ecosystem, to protect our customers as public, irresponsible disclosure puts all our joint customers at risk.

By the way, on a side-note I want to make sure you have seen the advisory we release yesterday on a Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution as it might be important for you to understand the workarounds. The history of this vulnerability can be found here: Windows Help Vulnerability Disclosure. I just want to quote the blog post: This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010. Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

Roger