Forget full disclosure; forget responsible disclosure; sign up for Microsoft’s new Coordinated Disclosure
This is clever. Microsoft has taken some stick over Tavis Ormandy and full disclosure (not as much as Tavis, but some): the whole issue has raised the possibility that companies like Microsoft might sit on vulnerabilities, sometimes for years, if the researcher doesn’t go fully public.
No company likes that sort of accusation floating around, so Microsoft has come up with a new disclosure policy. It’s not ‘responsible disclosure’ (a term and approach that is ridiculed by many serious security researchers), nor yet is it the fearful ‘full disclosure’ (a term and approach that is ridiculed by many serious security vendors). It’s a new one. It’s ‘coordinated disclosure’.
The idea is this:
Definition of coordinated vulnerability disclosure. Microsoft believes coordinated vulnerability disclosure is when newly discovered vulnerabilities in hardware, software and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds or other corrective measures before detailed vulnerability or exploit information is shared publicly. If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves.
Frankly I can’t see much difference between this and responsible disclosure, except that a CERT-CC becomes involved. This is the clever bit. CERT-CCs are pretty well trusted by the general public (well, they’re often ‘government’, so they must be trustworthy, right?). It’s a bit like David Cameron inviting the LibDems into government: if it goes right, it’s the Conservatives what did it; but if it goes wrong, we can blame the LibDems. Ah, but it’s more than just sharing the blame. The CERTs I’ve come across all have a policy of not going public with a known vulnerability until the vendor produces a patch.
In other words, there is no actual difference between this new ‘coordinated disclosure’ and the old ‘responsible disclosure’ except that we are given the false impression that the whole process will be policed by a CERT. That’s clever. And, of course, it’s followed by pretty standard emotional blackmail:
Microsoft calls on the broader community — from security researchers to vendors — to move to coordinated vulnerability disclosure. The need for coordination and shared responsibility has never been greater, as the computing ecosystem faces an unprecedented level of threat from the criminal element. To overcome that element, we must work together to improve the security of the entire ecosystem — and, as always, making customer protection our highest priority.
I suspect this will make not the slightest difference in reality. Existing full disclosure proponents believe that full disclosure is making user protection the highest priority; just as responsible disclosure proponents believe in their procedure. Coordinated exposure is just meaningless new semantics: but it does make good PR.