Microsoft announces Coordinated Vulnerability Disclosure (CVD)

Microsoft announced "a shift in philosophy on how we approach the topic of vulnerability disclosure, reframing the practice of "Responsible Disclosure" to "Coordinated Vulnerability Disclosure.""CVD: Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to vendors of affected product, to a CERT-CC or other coordinator who'll report to vendor privately, or to a […]

Microsoft announced "a shift in philosophy on how we approach the topic of vulnerability disclosure, reframing the practice of "Responsible Disclosure" to "Coordinated Vulnerability Disclosure.""

CVD: Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to vendors of affected product, to a CERT-CC or other coordinator who'll report to vendor privately, or to a private service that'll likewise report to vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves."

More Info: Announcing Coordinated Vulnerability Disclosure