Microsoft calls for ‘coordinated disclosure’ of bugs

It wasn’t long ago that we were reading about the air war between Microsoft and Google over a vulnerability disclosure from a Google employee, Tavis Ormandy, that affected the Windows XP operating system and was disclosed without giving Redmond time to respond. The back and forth that ensued between the PR engines of the two tech giants has been dubbed by InfoWorld’s own Neil McAllister the “Battle of Ormandy.”

In the wake of that battle, more sensible heads are prevailing. This week, Google researchers, including Ormandy, published a blog post calling for a rethinking of the nearly decade-old status quo around what’s come to be known as “responsible disclosure” — a policy that asks security researchers to submit information on software vulnerabilities directly to the affected vendor, then hold off on disclosing details until a patch is available.

[ Also on InfoWorld.com: The latest word on Windows shortcut attacks. | Get your systems up to snuff with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

The blog post outlined a new policy that would allow Google researchers who find bugs to rank them based on criticality, disclose them first to vendors, but also set an upper bound on the vendor’s response, based on the criticality of the flaw and whether or not it is being actively exploited. Google seemed to think that Ormandy’s 60-day deadline was adequate but allows that more time could be needed.

Then, on Thursday, Microsoft said it had revisited the almost decade-old notion of responsible disclosure and decided to adopt a more flexible, less pejorative alternative — “coordinated disclosure” — that gives clearer guidance and more options to security researchers who discover security holes in software products created by third party ISVs.

So what’s changed? Responsible disclosure asks researchers to report the security holes they find to vendors, then wait (patiently) for a patch for the hole before notifying the public. Coordinated disclosure keeps most of that, but puts the onus on ISVs to respond rapidly if there’s evidence that a security hole is being actively exploited. In that case, researchers may release some details of the hole — enough for the public to protect itself from exploitation.

But those who report vulnerabilities are still expected to coordinate with vendors on the release of data and to refrain from releasing exploit code that “proves” their find. The other big change, of course, is the removal of the word “responsible” and the notion that researchers are acting “irresponsibly” by not deferring to ISVs in all matters related to their find. The list of signatories on this new policy is a Dream Team of software vulnerability researchers and security VIPs and lends the weight of hard-earned reputations to the new plan.

This is a big evolutionary step for Microsoft, which has struggled openly in recent years with the simultaneous need to get software fixes right and to get them out quickly. In an insightful blog post that’s more than a year old, senior security strategist Katie Moussouris talks about the need for vendors and researchers to work more closely together and find a middle ground — to prevent vendors from sitting on vulnerabilities for months or years before patching them, and to stop security researchers from carelessly releasing vulnerability data or exploit code into the wild to force a vendor’s hand.

Researchers generally start out trying to do the right thing. But they’re a touchy bunch and prone to acts of civil disobedience when they feel ISVs aren’t taking their discovery or recommendations about fixes seriously. We saw that in spades this week, after a group of researchers, calling itself the Microsoft Spurned Researcher Collective (MSRC, cleverly enough) said it would begin publicly releasing complete information about security holes as a way to protest Microsoft’s perceived “hostility towards security researchers” — ah well.

But will this mean much in terms of software security? Doubtful. Responsible disclosure has been the “law of the land” for almost 10 years now and by all measures — the raw numbers of total vulnerabilities, the average time to patch, the potency of exploits and attacks — there’s not much to show for it. One reason, of course, is that there’s an almost endless supply of new software code being created every day — as well as billions of lines of legacy code out there to maintain. New security holes are a dime a dozen and new code comes on line every day.

Protocol around disclosure is a good way to let reputable researchers know the rules of the road, but it’s a road they’re sharing with unethical researchers and criminal groups who don’t care about the rules. As potent as Tavis Ormandy’s Windows vulnerability was, it was merely one hole in a common version of Windows. Attackers who weaponized and released it needn’t have relied on Tavis’s discovery — he just made their lives a bit easier.

The long-term fix, of course, is to develop more secure applications and harden those that have already been deployed. Responsible disclosure says nothing about that, nor does it promise to direct more of Microsoft’s or Google’s cash hoard toward that end. Without that kind of hard investment, words won’t add up to a hill of beans in what promises to be a long war over software security.

Paul F. Roberts is a Senior Analyst at The 451 Group.

This article, “Microsoft calls for ‘coordinated disclosure’ of bugs,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.