The Microsoft Security Response Center announced earlier today via their TechNet blog a change in the practice of disclosing vulnerabilities. Responsible disclosure being the hot topic for last month shows its cause-effect relationship with today’s announcement being the ‘effect’ part. Microsoft is sticking to its guns and holds fast “that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers.”
Coordinated Vulnerability Disclosure is mostly just a way of spelling out the concept of responsible disclosure that most people seem to already understand. Microsoft explains ideally how disclosure would occur:
Coordinated Vulnerability Disclosure (CVD): Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.
The main change is that the philosophy stresses the shared responsibility between security researchers and vendors.
CVD’s core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action — and even then it should be coordinated as closely as possible.
The end goal in this marketing re-branding is still to minimize the risk of those using particular software, hardware, or service providers. Part of the problem is that the term ‘responsible’ might be considered a loaded term and a security researcher might believe they are being responsible through full public disclosure as incentive for the vendor to quickly release a patch and the rest of the security community to validate the vulnerability and come up with fixes and work-arounds.
If you’re interested in learning more about this reframing, you should read the Microsoft Security Response Center announcement and further explanation in step form of the “new” CVD process through today’s entry over at the MSRC Ecosystem Strategy Team Blog.