Security Watch

Microsoft Shifts on Responsible Disclosure

Plus: Redmond won't pay for bugs, and hacking gets rewarded.

Microsoft has long been concerned with third-party researchers disclosing flaws -- before it can react to them -- in its technologies, which the company said can pose immediate security risks to its customers and the public. But the software giant appears to be shifting its policy .

In what some in the security community see as détente, Microsoft says it is "reframing the practice of 'responsible disclosure' to 'coordinated vulnerability disclosure.'" Redmond is intimating that it would like to dispense with flying rhetoric and strategic salvos and address what it called the "endless debate between responsible disclosure and full disclosure proponents and its ability to detract from meaningful and productive industry collaboration."

"As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk -- not amplifying it," blogged Matt Thomlinson, general manager of Microsoft's Trustworthy Computing Security.

In a separate post, " Bringing Balance to the Force ," to drive the point home , another Microsoft senior security strategist, Katie Moussouris, said, "This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge."

Microsoft Nixes Bug Bounty Idea
While Microsoft has always welcomed disclosure of bugs -- responsible, coordinated or otherwise -- it won't be handing out cash to researchers.

Along with the new policy mentioned above, Redmond won't be cutting any checks to security researchers for bug discoveries, a practice that MSRC Director Mike Reavey has dubbed "bug bounties." Google and Mozilla -- whose respective Chrome and Firefox browsers are nipping at the heels of Internet Explorer in market share -- have committed to paying researchers who report flaws in their products. Even Hewlett-Packard's TippingPoint and VeriSign's iDefense have set aside money for bug-disclosure-for-cash programs.

While many argue that providing financial incentives would bring out the best and brightest and constitute an even bigger and better olive branch for researchers and mercenary hackers alike, Microsoft isn't budging.

Mike Reavey, Katie Moussouris, Jerry Bryant and other Redmond security specialists have all pointed out that one-off fees for bug disclosure aren't the way Microsoft wants to do business. That said, Microsoft is quick to point out its continued sponsorship of security confabs such Blackhat and its own BlueHat conference (see more below) have demonstrated its commitment to security.

For her part, Moussouris encouraged researchers to "sell (bug info) to a service that will" responsibly disclose it to the affected vendor.

For now, Microsoft isn't buying it, which is interesting considering that financial gain is usually the chief motivation for sophisticated hack jobs.

Cute Little Pwnies, Lame Vendors, Epic Fails
Among key themes on the agenda at BlackHat in Las Vegas this week will be cloud security, mobile security, the "OS wars" and, of course, browser security.

Perhaps the most zany and telling event on the schedule will be the " Pwnie " awards, billed as part Emmys for hackers, Raspberrys for vendors. Pwnie (yes! with a cute little pony trophy) comes from the word "pwned," which is Internet-era shorthand for owned (click here for further clarification as needed).

The nine category names alone are probably worth the price of admission: Best Server-Side Bug; Best Client-Side Bug; Pwnie for Mass 0wnage; Most Innovative Research; Lamest Vendor Response, Most Overhyped Bug; Best Song (apparently, hackers have written songs and raps as they pwn users and systems); Most Epic FAIL; and, finally, Lifetime Achievement.

Windows IT pros take note as Windows Server Message Block and IIS bugs are both up for server-side bugs. Meanwhile, IE's Aurora bug, Windows EOT font parser vulnerability and Windows Help Center bugs are up for best client-side bugs. IE 8 is on the "Epic Fail" nomination list.

Check out the liner notes on IE 8's nomination: "Internet Explorer 8 was released with built-in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.