Microsoft Leads Vulnerability-Disclosure Initiative

Microsoft wants more control over software vulnerability disclosure, the company says. Late Thursday, Microsoft and five security vendors revealed a plan to create an organization that promotes "the need to develop and institutionalize a code of conduct for responsible handling of security vulnerabilities."

While the guidelines for software vulnerability disclosure have not been finalized, preliminary guidelines suggest software vendors would have 30 days to fill any reported security holes with a patch. The group will urge its members to reply to vulnerability discoveries promptly, and keep those who unveil the flaw appraised of the software company's progress in developing a fix.

Five security vendors, revealed at Microsoft's Trusted Computing conference, have initially signed on to the organization, which is expected to be announced formally in a few weeks. Security vendors include @Stake, Bindview, Foundstone, Guardent, and Internet Security Systems.

The issue of when to disclose--and how much detail to disclose--regarding software vulnerabilities is nothing new to the software industry. The debate flared up this summer when eEye Digital Security released, what some argued, was too much information regarding a Microsoft Internet Information Services vulnerability, which the author(s) of the Code Red worm capitalized on. Security analysts suspect Microsoft's attempt to formalize the vulnerability disclosure process will do little to stem the release of security flaws over the Internet. "The general sense is some kind of best practice is needed in this area, but to make it work you'd need a shift in the moral perspective in the security community toward vulnerability disclosure. Whether a vendor, or a consortium, can lead that initiative is questionable."