Black Hat 2010: Microsoft calls for co-ordinated vulnerability disclosure

News

Black Hat 2010: Microsoft calls for co-ordinated vulnerability disclosure

Warwick Ashford

Microsoft has called on the IT community to move to co-ordinated vulnerability disclosure at the BlackHat USA 2010 security conference in Las Vegas.

In an attempt to end the debate between the merits of responsible or full disclosure, Microsoft is advocating a new approach outlined in a recent blog post.

In co-ordinated vulnerability disclosure, newly discovered vulnerabilities are disclosed to suppliers of the hardware, software or service concerned.

Microsoft is appealing to finders of vulnerabilities to allow suppliers enough time to diagnose the problem and fully test countermeasures before publishing exploit details.

"If attacks are underway in the wild, earlier public vulnerability details disclosure can occur, but with both the finder and supplier working together to provide guidance on how users can protect themselves," said Dave Forstrom, director, Trustworthy Computing at Microsoft.

The need for co-ordination and shared responsibility has never been greater as the computing world faces an unprecedented level of threat from criminals, he said.

"It is important that the industry refocuses its attention on the criminal element that we are all fighting against," said Forstrom.

Since announcing the shift in philosophy, Microsoft has received support from other large suppliers, researchers and security experts, he said.

"There is a groundswell of support for co-ordinated disclosure, which is really focused on getting the job done and ensuring users are protected," said Forstrom.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy