Microsoft is attempting to reshape responsible disclosure by security researchers, announcing a new model that it says could provide a more coordinated response to zero-day vulnerabilities.
Called "Coordinated Vulnerability Disclosure" (CVD), the new model is similar to Microsoft's responsible disclosure policy. It urges security researchers to report the issue to the vendor or to a Computer Emergency Readiness Team coordination center. Under the CVD both the vendor and the researcher would agree to a timeline to fix the issue. In a blog entry, Microsoft's Matt Thomlinson general manager, of Security at Trustworthy Computing, said the software giant would attempt to provide as much transparency as possible to the process.
"Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors," Thomlinson wrote in the Microsoft Security Response Center blog. "Each member of this community of defenders plays a role in improving the overall security of the computing ecosystem."
Microsoft's new model follows the public disclosure of a zero-day vulnerability by noted security researcher Tavis Ormandy of Google. Within days, Microsoft issued a statement warning that it had detected malicious attacks attempting to target the vulnerability. Ormandy issued proof-of-concept code targeting the flaw in Windows XP.
Thomlinson said Microsoft and other software makers should be responsible for clearly communicating with the security researcher reporting the flaw. The software maker pledged to provide timely updates and target dates for resolution. In addition, Thomlinson said security researchers adhering to the policy could publish advance security advisories with limited details, leaving out proof-of-concept code.
"Vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible," Thomlinson wrote.
Security researchers speak out
While Microsoft's new model is being supported by a number of experts, other researchers say it won't likely have much effect on how flaws are reported.
H.D. Moore, chief architect of the Metasploit penetration testing framework, and a long time advocate of the security researcher community, called Microsoft's announcement an "attempt to control the responsible disclosure debate." The model still doesn't have any teeth, Moore said. Vulnerability hunters ultimately have the decision whether to disclose a flaw publicly or take it up privately with a software vendor, he said.
"Microsoft is good about acknowledging a vulnerability, but where they fall down is fixing it in a timely manner," Moore said in an interview with SearchSecurity.com. "What they don't seem to be acknowledging is that the vendor doesn't set the rules. The vendor never sets the rules."
Moore, who is chief security officer at Rapid7 Inc., said the only way a software vendor can maintain legitimate control is if a contract is in place with researchers by paying researchers through some kind of a reward program.
In a blog post describing the new model in more detail, Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team, listed a number of security experts who support the philosophy change. Moussouris called the change "a renaming of Responsible Disclosure that provides expectations and a process for Microsoft and researchers to work together without either party clouding the discussion with a term that is easily misinterpreted, even in cases where disclosure philosophies may not be entirely in sync."
Brian Martin, president of the Open Security Foundation and a Nessus vulnerability scanner expert at Columbia, Md.-based Tenable Network Security, called Microsoft's new approach, an attempt to take out some of the polarizing issues related to "responsible disclosure," and make its internal policies more transparent.
"This debate has been going on for decades and it's likely to continue," Martin said. "I don't see this as Microsoft saying they want all of the control, I see it as establishing this as how they operate and address fixes."
Dino Dai Zovi, an independent security researcher, also supports the name change, calling "responsible disclosure" a loaded term. Microsoft could take it a step further by offering bug bounties or holding themselves to more aggressive patch timelines, Dai Zovi said.
"It implies that anything but Microsoft's strictly defined policies of how to handle a security vulnerability is irresponsible," Dai Zovi wrote in an email message. "Their other changes are positive as well, but their policy is still nowhere near as researcher-friendly as Google's or Mozilla's. "
Mozilla offers up to $3,000 for bugs found in its software. Meanwhile, Google offers up to $3,133 for bugs found in its Chrome browser and announced that vulnerabilities should be fixed within 60-days. By being more flexible, Google and Mozilla proactively invite researchers to report vulnerabilities, he said.
Charlie Miller, a security researcher at Independent Security Evaluators, said Microsoft's announcement is a welcome change, but fails to address other issues. "Namely, why doesn't Microsoft pay for found bugs like Mozilla and Google do? Don't they value the security of their products enough to pay for the reporting of serious security vulnerabilities? Also, what happens when MS can't fix a bug within 60 days?"
In a phone interview, Miller said Google and Mozilla gain a certain level of control by entering into a contract with security researchers, giving the financial incentive for reporting flaws directly.
"For me, it doesn't do me any good to have my name on an advisory since I'm established, so there's no motivation for me to spend weeks looking for bugs to give to Microsoft," Miller said.