Coordinated Vulnerability Disclosure: From Philosophy to Practice

  • Article

Last summer at the Black Hat security conference, we announced a philosophical shift in how we refer to vulnerability disclosure, called "Coordinated Vulnerability Disclosure" (CVD). Our intent was to focus on how coordination and collaboration are required to resolve security issues in a way that minimizes risk and disruption for customers.  Since then, feedback from the broader security community has been generally supportive.

Today, we're providing more transparency and insight into our disclosure philosophy by announcing three updates to our disclosure practices - a CVD at Microsoft document, MSVR Advisories, and our internal corporate Disclosure of Vulnerabilities policy. 

TheCoordinated Vulnerability Disclosure (CVD) at Microsoftdocumentclarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors. Drawing upon our years of experience, we have seen that disclosing vulnerability details and/or exploits before a vendor has a chance to address the issue amplifies the risk of attacks.

As part of the Microsoft Vulnerability Research (MSVR) program, we are releasing the first MSVR Advisories for issues discovered by Microsoft in third party vendors' products.  These issues were privately reported to the companies who have since provided remediation. Since it began operating in August 2008, MSVR has privately reported many vulnerabilities to other vendors to help improve the broader security ecosystem.  MSVR Advisories further document our commitment to handling vulnerability disclosure in a coordinated way.  Read more about our CVD philosophy and commitment to the security research community on Katie Moussouris' post on the EcoStrat Blog .

To help affirm Microsoft's commitment to the security of the computing ecosystem, Microsoft adopted an internal corporate Disclosure of Vulnerabilities policy that establishes protocols for employees to follow when a vulnerability is discovered in a third party product or service.

We believe the most effective approach to security is a comprehensive Security Development Lifecycle that reduces or mitigates vulnerabilities before a product is released.  After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem.  By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone. 

Thank you,

Matt Thomlinson
General Manager, Trustworthy Computing Security