Microsoft's security team bolstered its attempt to play
ball with third parties yesterday, rolling out the third programme
in a week designed to help others with security
issues.
The Microsoft Vulnerability Research (MSVR) initiative will see
the company formally alert third-party vendors to security bugs in
their software.
In the course of its own software development, which includes
finding
security flaws, Microsoft's researchers sometimes find bugs in
other vendors' products, said Andrew Cushman, director of security
response and outreach. But previous attempts to alert other vendors
had been ad hoc, and MSVR formalised the process, he said.
Cushman admitted Microsoft would not be putting any more code
analysers on the team, but one or two extra employees would be
tasked with taking code flaws found in third-party products by the
Microsoft security team and bringing them to light.
This puts Microsoft in the same position as the many security
researchers who bring software flaws to its attention, and the
company has developed a policy of
responsible disclosure. "We will not make details of the
vulnerability public until an update is available," said
Cushman.
No cash would change hands for vulnerability disclosures, he
said, adding, "We will ask for recognition so that they credit us
in their bulletins or advisories."
Earlier this week, the firm unveiled its
Microsoft Active Protections Program (MAPP) and Exploit Index
initiatives, designed to assist other security vendors and
Microsoft customers with information about security issues.