On Tuesday, Microsoft kicked off a new set of security practices called Coordinated Vulnerability Disclosure (CVD) Policy, responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services, under the Microsoft Security Response Centre (MSRC) initiative.
This set of practices has been adopted by Microsoft and other software vendors across the industry.
In all cases, a Microsoft employee who discovers a vulnerability in third-party software informs the Microsoft Vulnerability Research (MSVR) program, and works to disclose details of the vulnerability in a coordinated manner with the vendor.
Vulnerabilities in third party products come to MSVR in three different ways:
1. Internal Microsoft developers and test engineers: In the course of their day to day jobs, developers and test engineers find potential vulnerabilities in third party software. The internal process is that those vulnerabilities are reported to the MSVR team. MSVR then works with the affected vendor to fix the issue.
2. External reports to Microsoft Security Response Center (MSRC): On occasion an external researcher will report an issue that they feel affects a Microsoft product but either affects a third party product of affects both the Microsoft product as well as external parties. These issues are coordinated by MSVR. The ATL issue from last year is a great example of this scenario.
3. Internal research projects: As time and resources permit, MSVR performs its own vulnerability analysis and research on products that run on Microsoft operating systems but are not developed by Microsoft. This is accomplished by using internal toolsets. Any issues identified are reported to the affected vendor under accepted coordinated vulnerability disclosure practices.
Such vulnerabilities will be listed in Microsoft Vulnerability Research (MSVR) Advisories Archive.
These practices are intended to provide greater clarity and certainty when coordinating vulnerabilities with Microsoft. Microsoft encourages other companies and security researchers to adopt a similar approach, and work with software providers to help minimize customer risk.
For more information on Microsoft CVD policy, you can download the document at Microsoft.