Haaaaa, ils ont mis le temps! Enfin de la coordination, de l'échange et de la constructivité entre les chercheurs de vulnérabilités et les ingénieurs de Microsoft. Enfin un partage qui permettra un gain de temps et du patching plus rapide!
Avec en prime, Microsoft qui détaillera toutes les raisons des bugs avant même la parution d'un exploits.
Personnellement je trouve que c'est une grande avancée!
Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.
The shift is a subtle one from Microsoft, which has always been at the heart of the debate over full disclosure of security vulnerabilities. The company has been very vocal in the past about its assertion that all vulnerabilities in its products should be reported privately to the company and the researcher should then give Microsoft some undisclosed amount of time to come up with a fix. The new CVD strategy still doesn't lay out a timeline for patch releases, but it represents a public change in the way the company is thinking.
The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there.
" Newly discovered vulnerabilities in hardware, software, and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves," said Matt Thomlinson, general manager of Microsoft's Trustworthy Computing group.
"CVD does not represent a huge departure from the current definition of "responsible disclosure," and we would still view vulnerability details being released broadly outside these guidelines as putting customers at unnecessary levels of risk. However, CVD does allow for more focused coordination on how issues are addressed publicly. CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible."
The change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000, respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future.
The CVD plan closely resembles other disclosure strategies that have been released over the years, and incorporates some elements of plans that researchers have suggested. The use of trusted third parties, such as the CERT-CC, is something that has been suggested by a number of people in the past, and has the advantage of including a dispassionate organization that can work with both the researcher and the vendor when conflicts arise or if the vendor is unresponsive.
The new CVD policy, in fact, incorporates some of the elements that were laid out in a plan written by the defunct Organization for Internet Safey in 2004, particularly the usage of third parties to help moderate the process.
The key concession in the new CVD strategy is the acknowledgement that there are times when it may be necessary for the researcher to disclose details of a given vulnerability before a patch is ready. This often is done if a vendor is not responsive to the researcher or if the researcher doesn't think the vendor is making a good faith effort to fix a flaw quickly enough. However, as Microsoft says in its policy, disclosure of flaw details may be necessary in cases where attacks against the vulnerability are already underway in the wild and security staffs need information on the problem to help protect their networks.
Katie Moussouris, a senior security strategist at Microsoft, said in a related blog post that the company needs help from the research community to make this CVD philosophy work.
"Responsible Disclosure should be deprecated in favor of something focused on getting the job done, which is to improve security and to protect users and systems. As such, Microsoft is asking researchers to work with us under Coordinated Vulnerability Disclosure, and added some coordinated public disclosure possibilities before a vendor-supplied patch is available when active attacks are underway. It uses the trigger of attacks in the wild to switch modes, which is an event that is objectively observable by many independent sources," she wrote. "Make no mistake about it, CVD is basically founded on the initial premise of Responsible Disclosure, but with a coordinated public disclosure strategy if attacks begin in the wild. That said, what’s critical in the reframing is the heightened role coordination and shared responsibility play in the nature and accepted practice of vulnerability disclosure. This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge."
Src here!
