Microsoft CVD and Efforts for Industry Collaboration

Guest Blog by Rodrigo Branco, Vulnerability and Malware Research Director, Qualys

As Microsoft noted in an MSRC blog post, April was a great month for industry collaboration. Using Coordinated Vulnerability Disclosure (CVD), 21 vulnerability researchers (myself included - see MS11-021) worked together with Microsoft and other vendors to identify bugs, assess threats, and come up with fixes to protect customers.

The Microsoft CVD was introduced last July as a way to strengthen responsible disclosure, where researchers work with vendors to provide fixes for vulnerabilities before reporting them to the public. We at Qualys believe that the CVD is an excellent effort by Microsoft to involve researchers in the advanced notification and patching of a vulnerability, and this collaboration between vendor and researcher is the best interest of computer end-users.

The CVD process also outlines the process for a vulnerability that involves multiple vendors.
In general when a vulnerability affects multiple vendors, the amount of work spent in coordination rises substantially. For example, different vendors may be on different patching schedules (some release every few months, some release every year), so the policy of each vendor will affect the release of the patch. Typically the researcher should wait for the last vendor and be very clear with all of the vendors about when the vulnerability will be (continue reading...)