Coordinated Vulnerability Disclosure
Microsoft Security Response Center
Microsoft takes security, trust, and transparency seriously. Our software, services, and hardware are utilized worldwide on several billion machines.
Through our Security Development Lifecycle, we engage and advance industry standards to address security vulnerabilities before our products launch.
In the case that a vulnerability is found after we launch, we address it as quickly as possible and prepare it for deployment the world over. We employee world-class security researchers internally and actively seek to partner with the security research community. We appreciate the work the security research community does to partner with us in better protecting customers.
We ask the security research community to give us an opportunity to correct a vulnerability before publicly identifying or disclosing it, as we ourselves do when we discover vulnerabilities in other vendors' products. This serves everyone's best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities, but are not exposed to malicious attacks while the update is being developed. After customers are protected, public discussion of the vulnerability helps the industry at large improve its products.
This set of practices is called Coordinated Vulnerability Disclosure (CVD) and has been adopted by Microsoft and other software vendors across the industry. Microsoft has developed this comprehensive strategy for handling vulnerabilities discovered in third-party software to help ensure that the ecosystem remains protected. The Microsoft Vulnerability Research (MSVR) program is responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services. In all cases, a Microsoft employee who discovers a vulnerability in third-party software informs the MSVR program and works to disclose details of the vulnerability in a coordination with the vendor.
Microsoft's Approach to Coordinated Vulnerability Disclosure
Under the principle of Coordinated Vulnerability Disclosure, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on CVD, please review the information provided in the following links: