[Infowarrior] - Microsoft: Responsible Vulnerability Disclosure Protects Users

Thu Jan 11 22:11:11 EST 2007

Microsoft: Responsible Vulnerability Disclosure Protects Users

http://www2.csoonline.com/exclusives/column.html?CID=28071

Responsible disclosure benefits everyone in the security ecosystem by
providing the most comprehensive and highest-quality security update
possible.

By Mark Miller, Director, Microsoft Security Response Center

Responsible disclosure, reporting a vulnerability directly to the vendor and
allowing sufficient time to produce an update, benefits the users and
everyone else in the security ecosystem by providing the most comprehensive
and highest-quality security update possible.

>From my experience helping customers digest and respond to full disclosure
reports, I can tell you that responsible disclosure, while not perfect,
doesn¹t increase risk as full disclosure can. Generally, responsible
disclosure benefits everyone involved by providing the best possible
protection for customers without forcing vendors into sacrificing quality or
security or introducing additional risk. Through responsible disclosure,
vendors such as Microsoft are given an appropriate amount of time to
investigate a security report, reproduce it against all supported platforms,
analyze it for variations and similar vulnerabilities in surrounding code,
and test the resulting update to ensure an appropriate level of quality for
mass distribution. This results in the most comprehensive and
highest-quality security update possible, which is one of the key goals of
the Microsoft Security Response Center¹s security investigation process.

A key point that is often forgotten in discussions about disclosure is the
reality that customers face in protecting systems. When you think of an
enterprise with thousands of servers, limited deployment windows and a cost
to the business for every update deployed, you can easily understand why
every customer I have ever spoken with wants to minimize the number of
updates while ensuring the highest level of protection. Responsible
disclosure by security researchers allows Microsoft and other vendors to
deliver that to our customers. By producing a comprehensive fix that
resolves any additional issues found in surrounding code, we minimize the
number of updates. Customers also want updates that minimize disruption to
their environment, especially in line-of-business and third-party
applications. With adequate testing time, Microsoft is able to provide the
highest-quality updates, thereby minimizing customer downtime and investment
related to deploying security updates.

In contrast, full disclosure-reporting vulnerability details to either
public mailing lists or Web sites-creates an environment in which customer
angst is high and the risks for the ecosystem are increased. These reports
can force vendors to rush to provide workaround solutions and security
updates that customers can use to mitigate exploitation of the reported
vulnerability. However, to release updates on a compressed schedule,
shortcuts must be made in the development process. These shortcuts can
increase the risk that a fix won¹t resolve similar vulnerabilities in
surrounding code or that a fix could have quality issues due to a shortened
testing cycle. Vendors only take these shortcuts because we have to, knowing
that once vulnerability details are published the time to exploit can be
exceedingly short-many times in the range of days or hours. So, while in the
end the update may be released in a shorter period of time-which is often a
key argument in favor of full disclosure-there is a significant cost in
terms of security coverage and quality.

There are, of course, exceptions to full disclosure and responsible
disclosure, such as broad zero-day attacks. In those cases it¹s only through
rapid cooperation between multiple vendors, researchers and the security
community that we can quickly provide effective mitigations and solutions to
the threat.

Over the last few years it¹s been refreshing to see more researchers move to
adopt responsible disclosure, but there are still many full disclosure
reports. The security researcher community is an integral part of this
change, with Microsoft products experiencing approximately 75 percent
responsible disclosure. As such, we are committed to working with the
community to strengthen support for responsible disclosure and minimize
customer risk. We do this by having open communications channels, treating
researchers with respect, and listening and learning from them. We believe
people deserve credit for helping protect our customers and improve the
security of our products. It¹s important for vendors and the industry to
give credit-as Microsoft does in every security bulletin-to the researchers
who help customers and vendors through responsible disclosure reporting.

While there has been progress over the last few years, there is still room
for improvement. Microsoft remains committed to working with security
researchers, vendors and the security community in a responsible way to
continue to drive positive improvements to customers¹ security.

Mark Miller is director of the Microsoft Security Response Center and has
been involved its response process for five years. Before joining the MSRC,
he provided customer support and service as part of the Product Support
Services Security Team.