Black Hat 2010: Microsoft calls for co-ordinated vulnerability disclosure


Black Hat 2010: Microsoft calls for co-ordinated vulnerability disclosure

Warwick Ashford

Microsoft has called on the IT community to move to co-ordinated vulnerability disclosure at the BlackHat USA 2010 security conference in Las Vegas.

In an attempt to end the debate between the merits of responsible or full disclosure, Microsoft is advocating a new approach outlined in a recent blog post.

In co-ordinated vulnerability disclosure, newly discovered vulnerabilities are disclosed to suppliers of the hardware, software or service concerned.

Microsoft is appealing to finders of vulnerabilities to allow suppliers enough time to diagnose the problem and fully test countermeasures before publishing exploit details.

"If attacks are underway in the wild, earlier public vulnerability details disclosure can occur, but with both the finder and supplier working together to provide guidance on how users can protect themselves," said Dave Forstrom, director, Trustworthy Computing at Microsoft.

The need for co-ordination and shared responsibility has never been greater as the computing world faces an unprecedented level of threat from criminals, he said.

"It is important that the industry refocuses its attention on the criminal element that we are all fighting against," said Forstrom.

Since announcing the shift in philosophy, Microsoft has received support from other large suppliers, researchers and security experts, he said.

"There is a groundswell of support for co-ordinated disclosure, which is really focused on getting the job done and ensuring users are protected," said Forstrom.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy