Drop responsible from bug disclosures Microsoft urges

Microsoft today pitched its own proposal for how software makers react to bugs reported by researchers, calling for a name change to describe the process it prefers.

Rather than dub the back-and-forth between bug finders and vendors “responsible disclosure” — a term that implies that the researcher reports a bug, then waits for the developer to patch it before going public with news of the flaw — Microsoft MCTS Training wants everyone in the security community to use a different moniker: “coordinated vulnerability disclosure,” or CVD.
Cisco’s Storage Savings Success: Download now

The company admitted the move is primarily a name change, and that much of the rest of its proposal is what Microsoft has urged in the past.

“This isn’t a drastic departure at all,” said Mike Reavey, director of the Microsoft Security Response Center (MSRC), Microsoft’s in-house security team. “What we want to do is what works best to minimize risk to customers, and to remove emotion, which isn’t helpful to anyone.”

Related Content

* Malware openly available in China, researchers say
* Massive check-fraud botnet operation tied to Russia
* Google patches Chrome, sidesteps Windows kernel bug
* Ensure 360-Degree Border SecurityWHITE PAPER
* Sleazy Marketers Game Google’s Sponsored Ads

* Security suites: big protection, little fuss
* Automated software quality assurance really mattersBLOG
* BitBlaze tool boosts bug-hunting productivity 10-fold
* Email on Cruise Control: How to Guarantee Security, Speed and Confidence in EmailWHITE PAPER
* Alleged Mariposa botnet hacker arrested in Slovenia

Reavey argued, as others have before, that “responsible disclosure” is a loaded name, since by implication anyone who doesn’t follow its bug-reporting steps — going public with details or attack code before a patch is ready — is by implication labeled as “irresponsible.”

“[CVD] is the same thing as responsible disclosure, just renamed,” repeated Reavey. “When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand, which is to make sure customers are protected, and that attacks are not amplified.”

Other than the name change, Microsoft’s proposal — which was spelled out in several blog posts by company executives, including the most detailed by Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team — is essentially a more explicit rendering of previous positions and practices.

One of the key points Microsoft made is that it wants to keep the lines of communication open between itself and security researchers, even when the latter broadcast their findings without reporting a bug to Microsoft or waiting on a patch.

“We want to be more clear about our philosophy, so first, we would appreciate a heads-up, even if the researcher does ‘full disclosure,'” said Reavey, referring to the label applied when a bug hunter goes public with all the details he has about a vulnerability before a patch is available. “And two, that we’ve operated this way before, so that if a vulnerability is under attack, certainly, we’ll release some information and advice.”

Moussouris echoed Reavey in her blog. “For finders who still believe that full disclosure is the best way to protect users, we respectfully disagree, but we still want to work with you if you’re willing,” she said. “We’d encourage folks who support [full disclosure] to still contact us, as we can then attempt to coordinate release of information with protections that are available.”

Microsoft isn’t the first to propose changes to the sometimes-rocky relationships between security researchers and the vendors whose products they label as vulnerable to attack.

On Tuesday, Google published what it called “Rebooting Responsible Disclosure,” a proposal that featured, among other elements, a call for a hard deadline of 60 days to patch a problem.
60 Minutes with Security Visionary Nir Zuk: View now

Reavey disagreed with Google. “I don’t think there’s a one-size-fits-all-issues as far as a timeline,” he said. “If the update doesn’t work, it doesn’t protect anyone.”

Microsoft has long taken the position that it fixes bugs as fast as it can, but that testing the quality of an update is just as critical as patching. Screwing up a patch, said Reavey, can have an enormous impact on Windows users, who often apply the updates without testing them themselves.

John Pescatore, Gartner’s primary analyst on security issues, took Microsoft’s side, saying that Google’s proposal was colored by the fact that most of its software is in the cloud, and that the most prominent exception, its Chrome browser, is simple in comparison to an operating system like Windows.

“Browsers are not typical of lots and lots of legacy software, like Microsoft’s or Oracle’s,” Pescatore said, adding that it’s unrealistic to expect every bug to get fixed in two months.

“There’s often a six-month time frame for an enterprise before they can even push patches [within their organization], even after a patch is released,” Pescatore said. “There’s all kinds of code that’s not as simple to patch as a browser, and that requires longer delays before a patch can be implemented.”

The Microsoft and Google proposals are the latest in an increasingly-heated discussion among researchers and vendors about disclosure that was prompted in part by an incident last month when a Google security engineer went public with a critical Windows bug just five days after reporting it to Microsoft.

In early June, Tavis Ormandy, who works for Google’s Switzerland office, published attack code for a Windows XP vulnerability, and immediately unleashed a heated debate. While some security researchers criticized Ormandy for taking the bug public, others rose to his defense, blasting both Microsoft and the press — including Computerworld — for linking Ormandy to his employer.

Ormandy said he disclosed the vulnerability five days after reporting it to Microsoft when the company wouldn’t commit to a patching deadline. Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of the week to decide.

Reavey denied that today’s change was triggered by the Ormandy disclosure, saying that Microsoft MCITP Certification had been thinking about CVD for months, and had been working with outside researchers and security experts long before the June brouhaha.

But Reavey did admit that things might have worked out differently if the CVD philosophy had been in place last month. “We might have been more clear that we wanted to work together on this,” Reavey said. “That [event] was difficult for all of us. [With CVD], we want to explicitly make sure we communicate that we want to continue the dialog.”

Reactions by researchers to Microsoft’s name change and Google’s earlier 60-day deadline idea was mixed.