Thursday, April 21, 2011

Microsoft's "Coordinated Vulnerability Disclosure"

Microsoft has been finding vulns in other people's products since forever. That's because for those of us "skilled in the art", it's impossible not to. Remember: when software crashes for you, you simply restart it. When it crashes for us, we trap it in a debugger, and use tools like !exploitable in order to see if it's exploitable.

Until now, Microsoft's response to such bugs as been ad-hoc. I'll bet that they've simply ignored the majority of such bugs. It takes a fair amount of work to take a bug that's "probably exploitable" to prove that it's "reproducibly exploitable". Security engineers should do it to keep in practice, but it's costly.

But now Microsoft has created an official disclosure policy for their engineers. Now, when they find a bug in somebody else's product, their engineers know what policy to follow.


Microsoft should be praised for not using the word "responsible" disclosure. The words "vulnerability disclosure" describe a fact, "responsible" describes an opinion. In a room of 10 cybersecurity experts, you'll get 15 opinions one what is "responsible" for disclosing a vulnerability. (And few would agree with my opinion that no disclosure is irresponsible, and that each of the different ways a bug is disclosed has a different set of tradeoffs).

The Golden Rule

Microsoft's policy of how they disclose bugs to others mirrors their policy of how they would like others to disclose bugs in Microsoft's products. This is the "coordinated" bit in their disclosure -- where "coordinated" gives the upper hand to the affected vendor rather than the vuln discoverer.

Most controversial is the idea "under no circumstances will Microsoft release details of an unpatched vulnerability unless evidence of public attacks exists". This gives the vendor the ("irresponsible") ability to bury bugs by never patching them. Microsoft has buried bugs on occasion by doing this.

In contrast, Mozilla and Chrome have policies that say if they fail to patch a bug within a certain timeframe, then it's OK for the discover to disclose it. Knowing how vendor's react, I prefer this policy.

I'm looking a fight

Here's what I want to see: Microsoft report a bug to Mozilla or Chrome that they bury. Which policy wins? Does Microsoft follow their policy and never publicly disclose the bug? Or do they switch and follow the Chrome/Mozilla policy and report anyway?

No comments: