Microsoft: Responsible Vulnerability Disclosure Protects Users

By Mark Miller, Director, Microsoft Security Response CenterResponsible disclosure, reporting a vulnerability directly to the vendor and allowing sufficient time to produce an update, benefits the users and everyone else in the security ecosystem by providing the most comprehensive and highest-quality security update possible.From my experience helping customers digest and respond to full disclosure reports, I can tell you that responsible disclosure, while not perfect, doesn’t increase risk as full disclosure can. Generally, responsible disclosure benefits everyone involved by providing the best possible protection for customers without forcing vendors into sacrificing quality or security or introducing additional risk. Through responsible disclosure, vendors such as Microsoft are given an appropriate amount of time to investigate a security report, reproduce it against all supported platforms, analyze it for variations and similar vulnerabilities in surrounding code, and test the resulting update to ensure an appropriate level of quality for mass distribution. This results in the most comprehensive and highest-quality security update possible, which is one of the key goals of the Microsoft Security Response Center’s security investigation process.A key point that is often forgotten in discussions about disclosure is the reality that customers face in protecting systems. When you think of an enterprise with thousands of servers, limited deployment windows and a cost to the business for every update deployed, you can easily understand why every customer I have ever spoken with wants to minimize the number of updates while ensuring the highest level of protection. Responsible disclosure by security researchers allows Microsoft and other vendors to deliver that to our customers. By producing a comprehensive fix that resolves any additional issues found in surrounding code, we minimize the number of updates. Customers also want updates that minimize disruption to their environment, especially in line-of-business and third-party applications. With adequate testing time, Microsoft is able to provide the highest-quality updates, thereby minimizing customer downtime and investment related to deploying security updates.In contrast, full disclosure-reporting vulnerability details to either public mailing lists or Web sites-creates an environment in which customer angst is high and the risks for the ecosystem are increased. These reports can force vendors to rush to provide workaround solutions and security updates that customers can use to mitigate exploitation of the reported vulnerability. However, to release updates on a compressed schedule, shortcuts must be made in the development process. These shortcuts can increase the risk that a fix won’t resolve similar vulnerabilities in surrounding code or that a fix could have quality issues due to a shortened testing cycle. Vendors only take these shortcuts because we have to, knowing that once vulnerability details are published the time to exploit can be exceedingly short-many times in the range of days or hours. So, while in the end the update may be released in a shorter period of time-which is often a key argument in favor of full disclosure-there is a significant cost in terms of security coverage and quality.There are, of course, exceptions to full disclosure and responsible disclosure, such as broad zero-day attacks. In those cases it’s only through rapid cooperation between multiple vendors, researchers and the security community that we can quickly provide effective mitigations and solutions to the threat.Over the last few years it’s been refreshing to see more researchers move to adopt responsible disclosure, but there are still many full disclosure reports. The security researcher community is an integral part of this change, with Microsoft products experiencing approximately 75 percent responsible disclosure. As such, we are committed to working with the community to strengthen support for responsible disclosure and minimize customer risk. We do this by having open communications channels, treating researchers with respect, and listening and learning from them. We believe people deserve credit for helping protect our customers and improve the security of our products. It’s important for vendors and the industry to give credit-as Microsoft does in every security bulletin-to the researchers who help customers and vendors through responsible disclosure reporting.While there has been progress over the last few years, there is still room for improvement. Microsoft remains committed to working with security researchers, vendors and the security community in a responsible way to continue to drive positive improvements to customers’ security.  Mark Miller is director of the Microsoft Security Response Center and has been involved its response process for five years. Before joining the MSRC, he provided customer support and service as part of the Product Support Services Security Team.

Related Articles

• The Vulnerability Disclosure Game: Are We More Secure?
• Schneier: Full Disclosure of Security Vulnerabilities a ’Damned Good Idea’
• The Chilling Effect
• Climate Change: Eric McCarty’s Thoughts