It wasn't long ago that we were reading about the air war between Microsoft and Google over a vulnerability disclosure from a Google employee, Tavis Ormandy, that affected the Windows XP operating system and was disclosed without giving Redmond time to respond. The back and forth that ensued between the PR engines of the two tech giants has been dubbed by InfoWorld's own Neil McAllister the "Battle of Ormandy."
In the wake of that battle, more sensible heads are prevailing. This week, Google researchers, including Ormandy, published a blog post calling for a rethinking of the nearly decade-old status quo around what's come to be known as "responsible disclosure" -- a policy that asks security researchers to submit information on software vulnerabilities directly to the affected vendor, then hold off on disclosing details until a patch is available.
[ Also on InfoWorld.com: The latest word on Windows shortcut attacks. | Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
The blog post outlined a new policy that would allow Google researchers who find bugs to rank them based on criticality, disclose them first to vendors, but also set an upper bound on the vendor's response, based on the criticality of the flaw and whether or not it is being actively exploited. Google seemed to think that Ormandy's 60-day deadline was adequate but allows that more time could be needed.
Then, on Thursday, Microsoft said it had revisited the almost decade-old notion of responsible disclosure and decided to adopt a more flexible, less pejorative alternative -- "coordinated disclosure" -- that gives clearer guidance and more options to security researchers who discover security holes in software products created by third party ISVs.
So what's changed? Responsible disclosure asks researchers to report the security holes they find to vendors, then wait (patiently) for a patch for the hole before notifying the public. Coordinated disclosure keeps most of that, but puts the onus on ISVs to respond rapidly if there's evidence that a security hole is being actively exploited. In that case, researchers may release some details of the hole -- enough for the public to protect itself from exploitation.
But those who report vulnerabilities are still expected to coordinate with vendors on the release of data and to refrain from releasing exploit code that "proves" their find. The other big change, of course, is the removal of the word "responsible" and the notion that researchers are acting "irresponsibly" by not deferring to ISVs in all matters related to their find. The list of signatories on this new policy is a Dream Team of software vulnerability researchers and security VIPs and lends the weight of hard-earned reputations to the new plan.