By Mark Miller, Director, Microsoft Security Response CenterResponsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality security update possible.From my experience helping customers digest and respond to full disclosure reports, I can tell you that responsible disclosure, while not perfect, doesn’t increase risk as full disclosure can. Generally, responsible disclosure benefits everyone involved by providing the best possible protection for customers without forcing vendors into sacrificing quality or security or introducing additional risk. Through responsible disclosure, vendors such as Microsoft are given an appropriate amount of time to investigate a security report, reproduce it against all supported platforms, analyze it for variations and similar vulnerabilities in surrounding code, and test the resulting update to ensure an appropriate level of quality for mass distribution. This results in the most comprehensive and highest-quality security update possible, which is one of the key goals of the Microsoft Security Response Center’s security investigation process.A key point that is often forgotten in discussions about disclosure is the reality that customers face in protecting systems. When you think of an enterprise with thousands of servers, limited deployment windows and a cost to the business for every update deployed, you can easily understand why every customer I have ever spoken with wants to minimize the number of updates while ensuring the highest level of protection. Responsible disclosure by security researchers allows Microsoft and other vendors to deliver that to our customers. By producing a comprehensive fix that resolves any additional issues found in surrounding code, we minimize the number of updates. Customers also want updates that minimize disruption to their environment, especially in line-of-business and third-party applications. With adequate testing time, Microsoft is able to provide the highest-quality updates, thereby minimizing customer downtime and investment related to deploying security updates.In contrast, full disclosure-reporting vulnerability details to either public mailing lists or Web sites-creates an environment in which customer angst is high and the risks for the ecosystem are increased. These reports can force vendors to rush to provide workaround solutions and security updates that customers can use to mitigate exploitation of the reported vulnerability. However, to release updates on a compressed schedule, shortcuts must be made in the development process. These shortcuts can increase the risk that a fix won’t resolve similar vulnerabilities in surrounding code or that a fix could have quality issues due to a shortened testing cycle. Vendors only take these shortcuts because we have to, knowing that once vulnerability details are published the time to exploit can be exceedingly short-many times in the range of days or hours. So, while in the end the update may be released in a shorter period of time-which is often a key argument in favor of full disclosure-there is a significant cost in terms of security coverage and quality.There are, of course, exceptions to full disclosure and responsible disclosure, such as broad zero-day attacks. In those cases it’s only through rapid cooperation between multiple vendors, researchers and the security community that we can quickly provide effective mitigations and solutions to the threat.Over the last few years it’s been refreshing to see more researchers move to adopt responsible disclosure, but there are still many full disclosure reports. The security researcher community is an integral part of this change, with Microsoft products experiencing approximately 75 percent responsible disclosure. As such, we are committed to working with the community to strengthen support for responsible disclosure and minimize customer risk. We do this by having open communications channels, treating researchers with respect, and listening and learning from them. We believe people deserve credit for helping protect our customers and improve the security of our products. It’s important for vendors and the industry to give credit-as Microsoft does in every security bulletin-to the researchers who help customers and vendors through responsible disclosure reporting.While there has been progress over the last few years, there is still room for improvement. Microsoft remains committed to working with security researchers, vendors and the security community in a responsible way to continue to drive positive improvements to customers’ security. Mark Miller is director of the Microsoft Security Response Center and has been involved its response process for five years. Before joining the MSRC, he provided customer support and service as part of the Product Support Services Security Team. Related ArticlesThe Vulnerability Disclosure Game: Are We More Secure?Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’The Chilling EffectClimate Change: Eric McCarty’s Thoughts Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe