How to Deal With Vulnerabilities

This is always a fairly emotional theme. What is better to protect the ecosystem? Public or private disclosure? Should somebody paying for vulnerabilities or not? Is a vulnerability auction ethical or not?

I know that there are numerous views on that and I do not want to debate them here and now. What I just want to do here, is to show Microsoft’s position:

Since a long time Microsoft is working with the researcher community in close collaboration and my understanding is that the researcher community is fairly impressed with what we do, once they get the opportunity to look behind the scenes. One of the outcomes of this outreach is Bluehat – a Microsoft internal event where the researcher talk to our developers. A very and interesting and insightful get together.

When it comes to handling vulnerabilities, I guess you know Microsoft Security Response Center – the group within Microsoft chartered with handling security vulnerabilities. The policies behind working with the researcher community is two-fold:

• We are not paying for security vulnerabilities, nor do we intend to do so. There was an article on ZDNet again a few days ago: Microsoft: No plans to pay for security vulnerabilities
• We just recently announced a slight change in strategy towards Coordinated Vulnerability Disclosure, an approach, where the collaboration between the finder and the vendor shall be deepened.

For me, the joint goal between researcher and vendors has to be to protect the ecosystem against the criminals. And with ecosystem I mean not only the big enterprises, having security teams which are able to work on detailed vulnerability information but small and medium businesses as well as the consumer like my mom and dad as well. Therefore we think that the point above help to meet the requirements.

What are your thoughts on that?

Roger