Microsoft has called on the IT community to move to co-ordinated vulnerability disclosure at the BlackHat USA 2010...
security conference in Las Vegas.
In an attempt to end the debate between the merits of responsible or full disclosure, Microsoft is advocating a new approach outlined in a recent blog post.
In co-ordinated vulnerability disclosure, newly discovered vulnerabilities are disclosed to suppliers of the hardware, software or service concerned.
Microsoft is appealing to finders of vulnerabilities to allow suppliers enough time to diagnose the problem and fully test countermeasures before publishing exploit details.
"If attacks are underway in the wild, earlier public vulnerability details disclosure can occur, but with both the finder and supplier working together to provide guidance on how users can protect themselves," said Dave Forstrom, director, Trustworthy Computing at Microsoft.
The need for co-ordination and shared responsibility has never been greater as the computing world faces an unprecedented level of threat from criminals, he said.
"It is important that the industry refocuses its attention on the criminal element that we are all fighting against," said Forstrom.
Since announcing the shift in philosophy, Microsoft has received support from other large suppliers, researchers and security experts, he said.
"There is a groundswell of support for co-ordinated disclosure, which is really focused on getting the job done and ensuring users are protected," said Forstrom.