Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products. The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They're intended to simplify communication among …
Microsoft internal security policies
It is great to see that Microsoft is actively embracing the need to drive positive change in building secure software in the Industry. While there is still a long way to go, its a great step forward. I wish newer entrants learn from the mistakes made by Microsoft and other product vendors ten years ago. I wrote about it in my post "Facebook faces the same security threats that Microsoft did years ago?" @ http://luciusonsecurity.blogspot.com/2011/03/facebook-faces-same-security-threats.html
20 Days Old news
"The policy (MS Word document here) applies to ..."
The Security Disclosure Policy is in MS Word ? Good one :o)
mmmm, was wondering about that one as well...
Microsoft should be ashamed! ROFLMAO
Big weapon mentality of Microsoft FAILS again. Possible solutions:
1. Hold Microsoft legally liable for damages caused by misuse of the poorly designed weapons. (Nonstarter and ROFLMAO.)
2. Create REAL competition in the OS market, for example by dividing Microsoft into separate competing companies. (Ditto squared and cubed.)
Oh well. Whatever you can say about Microsoft's so-called software, you have to admit that their economic model works. I've concluded that the most important failure of the OSS alternatives is that their economic models are inferior. So here's a suggested alternative economic model:
Did you actually read the article?
Given that the article is about security bugs that Microsoft researchers discover in other people's code, I think it is pretty clear you didn't. I think the FAIL is fairly and squarely in your court on this occasion.
"Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. "
Good luck with finding that right third-party person.
...and Security doesn't go well together.
The only thing that's secure is a locked-out admin password on a Win2k3 domain controller - with no other admin accounts available.