Security Watch

Microsoft Shifts on Responsible Disclosure

Plus: Redmond won't pay for bugs, and hacking gets rewarded.

• By Jabulani Leffall
• 07/26/2010

Microsoft has long been concerned with third-party researchers disclosing flaws -- before it can react to them -- in its technologies, which the company said can pose immediate security risks to its customers and the public. But the software giant appears to be shifting its policy .

In what some in the security community see as détente, Microsoft says it is "reframing the practice of 'responsible disclosure' to 'coordinated vulnerability disclosure.'" Redmond is intimating that it would like to dispense with flying rhetoric and strategic salvos and address what it called the "endless debate between responsible disclosure and full disclosure proponents and its ability to detract from meaningful and productive industry collaboration."

"As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimizing customer risk -- not amplifying it," blogged Matt Thomlinson, general manager of Microsoft's Trustworthy Computing Security.

In a separate post, " Bringing Balance to the Force ," to drive the point home , another Microsoft senior security strategist, Katie Moussouris, said, "This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge."

Microsoft Nixes Bug Bounty Idea
While Microsoft has always welcomed disclosure of bugs -- responsible, coordinated or otherwise -- it won't be handing out cash to researchers.

Along with the new policy mentioned above, Redmond won't be cutting any checks to security researchers for bug discoveries, a practice that MSRC Director Mike Reavey has dubbed "bug bounties." Google and Mozilla -- whose respective Chrome and Firefox browsers are nipping at the heels of Internet Explorer in market share -- have committed to paying researchers who report flaws in their products. Even Hewlett-Packard's TippingPoint and VeriSign's iDefense have set aside money for bug-disclosure-for-cash programs.

While many argue that providing financial incentives would bring out the best and brightest and constitute an even bigger and better olive branch for researchers and mercenary hackers alike, Microsoft isn't budging.

Mike Reavey, Katie Moussouris, Jerry Bryant and other Redmond security specialists have all pointed out that one-off fees for bug disclosure aren't the way Microsoft wants to do business. That said, Microsoft is quick to point out its continued sponsorship of security confabs such Blackhat and its own BlueHat conference (see more below) have demonstrated its commitment to security.

For her part, Moussouris encouraged researchers to "sell (bug info) to a service that will" responsibly disclose it to the affected vendor.

For now, Microsoft isn't buying it, which is interesting considering that financial gain is usually the chief motivation for sophisticated hack jobs.

Cute Little Pwnies, Lame Vendors, Epic Fails
Among key themes on the agenda at BlackHat in Las Vegas this week will be cloud security, mobile security, the "OS wars" and, of course, browser security.

Perhaps the most zany and telling event on the schedule will be the " Pwnie " awards, billed as part Emmys for hackers, Raspberrys for vendors. Pwnie (yes! with a cute little pony trophy) comes from the word "pwned," which is Internet-era shorthand for owned (click here for further clarification as needed).

The nine category names alone are probably worth the price of admission: Best Server-Side Bug; Best Client-Side Bug; Pwnie for Mass 0wnage; Most Innovative Research; Lamest Vendor Response, Most Overhyped Bug; Best Song (apparently, hackers have written songs and raps as they pwn users and systems); Most Epic FAIL; and, finally, Lifetime Achievement.

Windows IT pros take note as Windows Server Message Block and IIS bugs are both up for server-side bugs. Meanwhile, IE's Aurora bug, Windows EOT font parser vulnerability and Windows Help Center bugs are up for best client-side bugs. IE 8 is on the "Epic Fail" nomination list.

Check out the liner notes on IE 8's nomination: "Internet Explorer 8 was released with built-in cross-site scripting filters which, for nearly a year after release, enabled cross-site scripting on otherwise secure sites. Ironic. Epic. Fail."