CVD at Microsoft Document, MSVR Advisories, and Internal Corporate Disclosure of Vulnerabilities Policy Announced

To provide more transparency and insight into its disclosure philosophy, Microsoft today announces three updates to disclosure practices:First up, Coordinated Vulnerability Disclosure (CVD) at Microsoft document clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and […]

To provide more transparency and insight into its disclosure philosophy, Microsoft today announces three updates to disclosure practices:

First up, Coordinated Vulnerability Disclosure (CVD) at Microsoft document clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors. Drawing upon our years of experience, we've seen that disclosing vulnerability details and/or exploits before a vendor has a chance to address the issue amplifies the risk of attacks.

Second, as part of the MSVR program, MSVR Advisories is released for issues discovered by Microsoft in third party vendors' products. These issues were privately reported to the companies who've since provided remediation. Since it began operating in Aug '08, MSVR has privately reported many vulnerabilities to other vendors to help improve the broader security ecosystem. MSVR Advisories further document our commitment to handling vulnerability disclosure in a coordinated way.

Finally, to help affirm Microsoft's commitment to the security of the computing ecosystem, Microsoft adopted an internal corporate Disclosure of Vulnerabilities policy that establishes protocols for employees to follow when a vulnerability is discovered in a third party product or service.

[Source: MSRC blog]