The Coordinated Vulnerability Disclosure (CVD) at Microsoft document clarifies how Microsoft responds not only as a vendor impacted by vulnerabilities in its products and services, but as a finder of vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors. Drawing upon our years of experience, we have seen that disclosing vulnerability details and/or exploits before a vendor has a chance to address the issue amplifies the risk of attacks.
As part of the Microsoft Vulnerability Research (MSVR) program, we are releasing the first MSVR Advisories for issues discovered by Microsoft in third party vendors' products. These issues were privately reported to the companies who have since provided remediation. Since it began operating in August 2008, MSVR has privately reported many vulnerabilities to other vendors to help improve the broader security ecosystem. MSVR Advisories further document our commitment to handling vulnerability disclosure in a coordinated way. Read more about our CVD philosophy and commitment to the security research community on Katie Moussouris' post on the EcoStrat Blog.
|