RSA 2011: Microsoft promotes co-ordinated vulnerability disclosure

Software producers remain largely unresponsive to input from security researchers, according to Aaron Portnoy, manager of the security research team HP TippingPoint.

"We essentially provide free QA for these companies, but many remain uninterested or hostile," Aaron Portnoy told attendees of RSA Conference 2011 in San Francisco.

The problem, says independent researcher Dino Dai Zovi, is that there remains a wide lack of smooth disclosure processes.

Microsoft is the best in the [software] business in handling security vulnerability disclosures, he says, but besides them and one or two other top software suppliers, the level of sophistication in dealing with vulnerability disclosures drops off rapidly.

All software suppliers who take security seriously are willing to learn from mistakes, says Katie Moussouris, senior security strategist at the Microsoft Response Center (MSRC).

In mid-2010, Microsoft introduced an initiative aimed at promoting what it calls co-ordinated security disclosure, in an attempt to end the debate over the merits of responsible disclosure versus immediate, full disclosure by researchers.

The initiative, says Katie Moussouris, is aimed at explaining to security researchers that Microsoft, like most other software suppliers, would like to get the heads up on vulnerabilities and work out ways to best protect customers before a vulnerability is disclosed.

"Suppliers need to make it easier to report vulnerabilities to them, and since we introduced the concept of co-ordinated disclosure, we have had more security researchers coming forward to discuss things with us. It is a far more civilised way of doing things with tangible benefits to customers," she said.

High quality reports from the likes of HP TippingPoint also help speed up the process for Microsoft, she adds.

In a bid to force better response times from other software suppliers and eliminate delays of sometimes up to three years, HP TippingPoint has introduced a 60-day deadline.

"We give suppliers two months to notify customers of the vulnerability and come up with a patch or workaround, and if they do not, we go public," said Portnoy.

HP TippingPoint, does however, grant extensions to the deadline if there is a legitimate reason, he says, but the important thing is to make software suppliers responsive.

Moussouris says researchers should not apply unreasonable pressure on software suppliers to give them enough time to develop security patches that have been tested thoroughly.

"Experience has taught us that releasing a patch prematurely can cause more problems than it fixes because we have not had time to test it with all possible product configurations and operating environments," she said.

It is extremely important for software suppliers to be allowed enough time to get at patch right the first time, says Moussouris, otherwise it undermines user confidence in patches, which in turn leads to organisations delaying security updates.