First published: 31st July 2010
In a blog post on 22 July, Microsoft unveiled its renaming of how it would like security researchers to handle flaws in its products, saying,
Today, Microsoft is announcing a shift in philosophy on how we approach the topic of vulnerability disclosure, reframing the practice of "Responsible Disclosure" to "Coordinated Vulnerability Disclosure."
The shift is interesting because Microsoft has heavily supported Responsible Disclosure since 2001 when the manager of Microsoft's Security Response Centre, Scott Culp, published an article, "It's Time to End Information Anarchy" advocating refraining from publishing details of vulnerabilities until the vendor concerned had a patch ready for release. The article is currently not locatable on Microsoft's website. In November of 2001, Microsoft was the driving force behind a proposed RFC (Request For Comment, the de facto standards of the internet) called "Responsible Vulnerability Disclosure Process", but it did not become a standard.
Yui Kee Chief Consultant Allan Dyer commented, "This can easily be seen as a climbdown by Microsoft. The choice of the term 'responsible' in 2001 was pure spin - those who advocated full disclosure became, by implication, 'irresponsible'. However, the continued efforts of security researchers to find and publish vulnerabilities that Microsoft had failed to find has been acknowledged by the users and now, eventually, Microsoft has decided to stop condemning them by implication."
This is unlikely to end the discussions on the best balance between secrecy and disclosure for vulnerability discoveries.