Drop 'responsible' from bug disclosures, Microsoft urges

Proposes name change to eliminate loaded word for bug reporting practice

Microsoft today pitched its own proposal for how software makers react to bugs reported by researchers, calling for a name change to describe the process it prefers.

Rather than dub the back-and-forth between bug finders and vendors "responsible disclosure" -- a term that implies that the researcher reports a bug, then waits for the developer to patch it before going public with news of the flaw -- Microsoft wants everyone in the security community to use a different moniker: "coordinated vulnerability disclosure," or CVD.

The company admitted the move is primarily a name change, and that much of the rest of its proposal is what Microsoft has urged in the past.

"This isn't a drastic departure at all," said Mike Reavey, director of the Microsoft Security Response Center (MSRC), Microsoft's in-house security team. "What we want to do is what works best to minimize risk to customers, and to remove emotion, which isn't helpful to anyone."

Reavey argued, as others have before, that "responsible disclosure" is a loaded name, since by implication anyone who doesn't follow its bug-reporting steps -- going public with details or attack code before a patch is ready -- is by implication labeled as "irresponsible."

"[CVD] is the same thing as responsible disclosure, just renamed," repeated Reavey. "When folks use charged words, a lot of the focus then is on the disclosure, and not on the problem at hand, which is to make sure customers are protected, and that attacks are not amplified."

Other than the name change, Microsoft's proposal -- which was spelled out in several blog posts by company executives, including the most detailed by Katie Moussouris, a senior security strategist on the MSRC ecosystem strategy team -- is essentially a more explicit rendering of previous positions and practices.

One of the key points Microsoft made is that it wants to keep the lines of communication open between itself and security researchers, even when the latter broadcast their findings without reporting a bug to Microsoft or waiting on a patch.

"We want to be more clear about our philosophy, so first, we would appreciate a heads-up, even if the researcher does 'full disclosure,'" said Reavey, referring to the label applied when a bug hunter goes public with all the details he has about a vulnerability before a patch is available. "And two, that we've operated this way before, so that if a vulnerability is under attack, certainly, we'll release some information and advice."

Moussouris echoed Reavey in her blog. "For finders who still believe that full disclosure is the best way to protect users, we respectfully disagree, but we still want to work with you if you're willing," she said. "We'd encourage folks who support [full disclosure] to still contact us, as we can then attempt to coordinate release of information with protections that are available."

Microsoft isn't the first to propose changes to the sometimes-rocky relationships between security researchers and the vendors whose products they label as vulnerable to attack.

On Tuesday, Google published what it called "Rebooting Responsible Disclosure," a proposal that featured, among other elements, a call for a hard deadline of 60 days to patch a problem.

Reavey disagreed with Google. "I don't think there's a one-size-fits-all-issues as far as a timeline," he said. "If the update doesn't work, it doesn't protect anyone."

Microsoft has long taken the position that it fixes bugs as fast as it can, but that testing the quality of an update is just as critical as patching. Screwing up a patch, said Reavey, can have an enormous impact on Windows users, who often apply the updates without testing them themselves.

John Pescatore, Gartner's primary analyst on security issues, took Microsoft's side, saying that Google's proposal was colored by the fact that most of its software is in the cloud, and that the most prominent exception, its Chrome browser, is simple in comparison to an operating system like Windows.

"Browsers are not typical of lots and lots of legacy software, like Microsoft's or Oracle's," Pescatore said, adding that it's unrealistic to expect every bug to get fixed in two months.

"There's often a six-month time frame for an enterprise before they can even push patches [within their organization], even after a patch is released," Pescatore said. "There's all kinds of code that's not as simple to patch as a browser, and that requires longer delays before a patch can be implemented."

The Microsoft and Google proposals are the latest in an increasingly-heated discussion among researchers and vendors about disclosure that was prompted in part by an incident last month when a Google security engineer went public with a critical Windows bug just five days after reporting it to Microsoft.

In early June, Tavis Ormandy, who works for Google's Switzerland office, published attack code for a Windows XP vulnerability, and immediately unleashed a heated debate. While some security researchers criticized Ormandy for taking the bug public, others rose to his defense, blasting both Microsoft and the press -- including Computerworld -- for linking Ormandy to his employer.

Ormandy said he disclosed the vulnerability five days after reporting it to Microsoft when the company wouldn't commit to a patching deadline. Microsoft has disputed that, claiming that it only told Ormandy it would need the rest of the week to decide.

Reavey denied that today's change was triggered by the Ormandy disclosure, saying that Microsoft had been thinking about CVD for months, and had been working with outside researchers and security experts long before the June brouhaha.

But Reavey did admit that things might have worked out differently if the CVD philosophy had been in place last month. "We might have been more clear that we wanted to work together on this," Reavey said. "That [event] was difficult for all of us. [With CVD], we want to explicitly make sure we communicate that we want to continue the dialog."

Reactions by researchers to Microsoft's name change and Google's earlier 60-day deadline idea was mixed.

"What's really important [about Google's deadline proposal] is that this is coming from a vendor, not a researcher," said Dino Dai Zovi, a well-known New York-based vulnerability expert. "Microsoft should adopt some of Google's recently-announced vulnerability handling policies, including bug bounties and a 60-day time limit."

But Dai Zovi commended Microsoft on today's move. "I am the most pleased that Microsoft is dropping the 'responsible disclosure' term, because I considered it a loaded term. It implied that anything other than Microsoft's strict definition is irresponsible."

He also argued that the CVD proposal is "more evolutionary than revolutionary," but added that Microsoft's sheer size makes it tough for the company to adopt major policy changes quickly.

Dan Kaminsky, chief scientist at Recursion Ventures, agreed with Dai Zovi that CVD is a minor shift and sees disclosure deadlines as an important issue Microsoft didn't address. Kaminsky is best known for uncovering a design flaw in the Internet's key DNS protocol and for coordinating a large-scale, multivendor patch effort two years ago.

"This is less a statement of what needs to change and more a statement that they're open for change," said Kaminsky of Microsoft's CVD proposal. "The fundamental question at play is what should be the timeline for vulnerability disclosure."

But Reavey was adamant that CVD, which lacks a commitment to hard deadlines, is what Microsoft's customers wanted. "They look to the security community to help them," said Reavey. "They don't want the risk amplified by information [going public] before a high-quality update is ready. That's way we should shift the focus from one on emotional debates about 'responsible disclosure' to one that reduces risk to customers."

Join the PC World newsletter!

Error: Please check your email address.

Tags MicrosoftsecuritySecurity Hardware and SoftwareWindowssoftwareoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?