Microsoft today pitched its own proposal for how software makers react to bugs reported by researchers, calling for a name change to describe the process it prefers.
Rather than dub the back-and-forth between bug finders and vendors "responsible disclosure" -- a term that implies that the researcher reports a bug, then waits for the developer to patch it before going public with news of the flaw -- Microsoft wants everyone in the security community to use a different moniker: "coordinated vulnerability disclosure," or CVD.
The company admitted the move is primarily a name change, and that much of the rest of its proposal is what Microsoft has urged in the past.
"This isn't a drastic departure at all," said Mike Reavey, director of the Microsoft Security Response Center (MSRC), Microsoft's in-house security team. "What we want to do is what works best to minimize risk to customers, and to remove emotion, which isn't helpful to anyone."
Reavey argued, as others have before, that "responsible disclosure" is a loaded name, since by implication anyone who doesn't follow its bug-reporting steps -- going public with details or attack code before a patch is ready -- is by implication labeled as "irresponsible."
"[CVD] is the same thing as responsible disclosure, just renamed," repeated Reavey. "When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand, which is to make sure customers are protected, and that attacks are not amplified."
Other than the name change, Microsoft's proposal -- which was spelled out in several blog posts by company executives, including the most detailed by Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team -- is essentially a more explicit rendering of previous positions and practices.
One of the key points Microsoft made is that it wants to keep the lines of communication open between itself and security researchers, even when the latter broadcast their findings without reporting a bug to Microsoft or waiting on a patch.
"We want to be more clear about our philosophy, so first, we would appreciate a heads-up, even if the researcher does 'full disclosure,'" said Reavey, referring to the label applied when a bug hunter goes public with all the details he has about a vulnerability before a patch is available. "And two, that we've operated this way before, so that if a vulnerability is under attack, certainly, we'll release some information and advice."
Moussouris echoed Reavey in her blog. "For finders who still believe that full disclosure is the best way to protect users, we respectfully disagree, but we still want to work with you if you're willing," she said. "We'd encourage folks who support [full disclosure] to still contact us, as we can then attempt to coordinate release of information with protections that are available."
Microsoft isn't the first to propose changes to the sometimes-rocky relationships between security researchers and the vendors whose products they label as vulnerable to attack.
Reavey disagreed with Google. "I don't think there's a one-size-fits-all-issues as far as a timeline," he said. "If the update doesn't work, it doesn't protect anyone."
Microsoft has long taken the position that it fixes bugs as fast as it can, but that testing the quality of an update is just as critical as patching. Screwing up a patch, said Reavey, can have an enormous impact on Windows users, who often apply the updates without testing them themselves.
John Pescatore, Gartner's primary analyst on security issues, took Microsoft's side, saying that Google's proposal was colored by the fact that most of its software is in the cloud, and that the most prominent exception, its Chrome browser, is simple in comparison to an operating system like Windows.
"Browsers are not typical of lots and lots of legacy software, like Microsoft's or Oracle's," Pescatore said, adding that it's unrealistic to expect every bug to get fixed in two months.
"There's often a six-month time frame for an enterprise before they can even push patches [within their organization], even after a patch is released," Pescatore said. "There's all kinds of code that's not as simple to patch as a browser, and that requires longer delays before a patch can be implemented."
The Microsoft and Google proposals are the latest in an increasingly-heated discussion among researchers and vendors about disclosure that was prompted in part by an incident last month when a Google security engineer went public with a critical Windows bug just five days after reporting it to Microsoft.
In early June, Tavis Ormandy, who works for Google's Switzerland office, published attack code for a Windows XP vulnerability, and immediately unleashed a heated debate. While some security researchers criticized Ormandy for taking the bug public, others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer.
Ormandy said he disclosed the vulnerability five days after reporting it to Microsoft when the company wouldn't commit to a patching deadline. Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of the week to decide.
Reavey denied that today's change was triggered by the Ormandy disclosure, saying that Microsoft had been thinking about CVD for months, and had been working with outside researchers and security experts long before the June brouhaha.
But Reavey did admit that things might have worked out differently if the CVD philosophy had been in place last month. "We might have been more clear that we wanted to work together on this," Reavey said. "That [event] was difficult for all of us. [With CVD], we want to explicitly make sure we communicate that we want to continue the dialog."
Reactions by researchers to Microsoft's name change and Google's earlier 60-day deadline idea was mixed.
"What's really important [about Google's deadline proposal] is that this is coming from a vendor, not a researcher," said Dino Dai Zovi, a well-known New York-based vulnerability expert. "Microsoft should adopt some of Google's recently-announced vulnerability handling policies, including bug bounties and a 60-day time limit."
But Dai Zovi commended Microsoft on today's move. "I am the most pleased that Microsoft is dropping the 'responsible disclosure' term, because I considered it a loaded term. It implied that anything other than Microsoft's strict definition is irresponsible."
He also argued that the CVD proposal is "more evolutionary than revolutionary," but added that Microsoft's sheer size makes it tough for the company to adopt major policy changes quickly.
Dan Kaminsky, chief scientist at Recursion Ventures, agreed with Dai Zovi that CVD is a minor shift and sees disclosure deadlines as an important issue Microsoft didn't address. Kaminsky is best known for uncovering a design flaw in the Internet's key DNS protocol and for coordinating a large-scale, multivendor patch effort two years ago.
"This is less a statement of what needs to change and more a statement that they're open for change," said Kaminsky of Microsoft's CVD proposal. "The fundamental question at play is what should be the timeline for vulnerability disclosure."
But Reavey was adamant that CVD, which lacks a commitment to hard deadlines, is what Microsoft's customers wanted. "They look to the security community to help them," said Reavey. "They don't want the risk amplified by information [going public] before a high-quality update is ready. That's way we should shift the focus from one on emotional debates about 'responsible disclosure' to one that reduces risk to customers."