Disclosure Philosophy Rethought

As debate rages about disclosure of a vulnerability in Microsoft’s Help and Support Center software, Microsoft has proposed a modified philosophy for disclosure of security vulnerabilities in hardware, software, and services. The new philosophy suggests when it is appropriate to publically disclose a vulnerability before a fix is found or released by the vendor. The proposal also replaces the term “responsible disclosure” (RD) with “coordinated vulnerability disclosure” (CVD), not only because “responsible” implied that any other disclosure was irresponsible but also to emphasize that coordination is needed.

Coordination Is Key

Most security experts have defined RD as reporting vulnerabilities privately to the appropriate vendor, but no one else, until the vendor issues a patch. In contrast, proponents of full disclosure (FD) suggest that providing all vulnerability details publicly at the same time will encourage vendors to provide updates faster. In June 2010, debate spread through the IT security community after a Google engineer publicly disclosed a vulnerability in Microsoft’s Help and Support Center software only five days after reporting the vulnerability to Microsoft. Microsoft and others felt that such public disclosure was not in the best interest of finding a solution, while the finder and others maintained that FD was the only way to get Microsoft to commit to fixing the problem in a timely manner. For the Help and Support Center vulnerability, exploits had not been seen previously but appeared within days after the disclosure.