Coordinated Vulnerability Disclosure
When the MSRC receives a vulnerability report, we develop an update as quickly as possible and broadly disseminate information about the vulnerability, the risk it poses, and what customers can do to help protect themselves against it. We take the responsibility for fixing our products very seriously. However, Microsoft products run on thousands of different manufacturers' hardware, in millions of different configurations, and in conjunction with countless other applications. To do the best job possible, we need the help of the people who discover security vulnerabilities.
We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it, as we ourselves do when we discover vulnerabilities in other vendors' products. This serves everyone's best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious attacks while the update is being developed. After customers are protected, public discussion of the vulnerability helps the industry at large improve its products.
This set of practices is called Coordinated Vulnerability Disclosure (CVD) and has been adopted by Microsoft and other software vendors across the industry. Microsoft has developed this comprehensive strategy for handling vulnerabilities discovered in third-party software to help ensure that the ecosystem remains protected. The Microsoft Vulnerability Research (MSVR) program is responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services. In all cases, a Microsoft employee who discovers a vulnerability in third-party software informs the MSVR program and works to disclose details of the vulnerability in a coordination with the vendor.
Microsoft's Approach to Coordinated Vulnerability Disclosure
Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress. Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on CVD, please review the information provided in the following links:
Learn how coordinating vulnerability disclosures can help protect you from criminals.
If you are a customer of a MAPP partner, you can find out if there are protections for their products available to you.