Archive

Archive for the ‘Coordinated Vulnerability Disclosure’ Category

Congratulations to the Top MSRC 2021 Q3 Security Researchers!

October 14th, 2021 No comments

Congratulations to all the researchers recognized in this quarter’s MSRC Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2021 Q3 Security Researcher Leaderboard are: BugHunter010 (840 points), Callum Carney (828 points), and Nir Ohfeld (525 points)! Each quarterly leaderboard …

Congratulations to the Top MSRC 2021 Q3 Security Researchers! Read More »

Announcing the Launch of the Azure SSRF Security Research Challenge

August 19th, 2021 No comments

Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional …

Announcing the Launch of the Azure SSRF Security Research Challenge Read More »

Congratulations to the MSRC 2021 Most Valuable Security Researchers!

August 4th, 2021 No comments

The MSRC Researcher Recognition Program offers public thanks and acknowledgement to the researchers who help protect customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Security Researchers (MVRs) based on the impact, accuracy, and volume of their reports. Congratulations to each of our MSRC …

Congratulations to the MSRC 2021 Most Valuable Security Researchers! Read More »

Announcing the Top MSRC 2021 Q2 Security Researchers – Congratulations!

July 15th, 2021 No comments

We’re excited to announce the top contributing researchers for the 2021 Second Quarter (Q2)! Congratulations to all the researchers recognized in this quarter’s leaderboard and thank you to everyone who continues to help secure our customers and the ecosystem. The top three researchers of the 2021 Q2 Security Researcher Leaderboard are: Yuki Chen (765 points), …

Announcing the Top MSRC 2021 Q2 Security Researchers – Congratulations! Read More »

Congratulating Our Top MSRC 2021 Q1 Security Researchers!

April 15th, 2021 No comments

We’re excited to announce the top contributing researchers for the 2021 First Quarter (Q1)! Congratulations to all the researchers recognized in this quarter’s leaderboard and thank you to everyone who continues to help secure our customers and the ecosystem. The top three researchers of the 2021 Q1 Security Researcher Leaderboard are: Yuki Chen (4365 points), …

Congratulating Our Top MSRC 2021 Q1 Security Researchers! Read More »

MSRC Security Researcher Recognition: 2021

February 10th, 2021 No comments

Wondering how to get into the 2021 MSRC Most Valuable Security Researcher list and get recognized during the Black Hat USA this August? Read on to learn more about the different paths you can take to get into the top researcher tiers. The MSRC Most Valuable Security Researcher (MVR) and MSRC Contributor are tiers in …

MSRC Security Researcher Recognition: 2021 Read More »

Top MSRC 2020 Q4 Security Researchers – Congratulations!

January 14th, 2021 No comments

We’re excited to announce the top contributing researchers for the 2020 Fourth Quarter (Q4)! Congratulations to all of the researchers who made this quarter’s leaderboard and a huge thank you to everyone who continues to help secure our customers and the ecosystem. The top three researchers of the 2020 Q4 Security Researcher Leaderboard are: Cameron …

Top MSRC 2020 Q4 Security Researchers – Congratulations! Read More »

Announcing the Top MSRC 2020 Q3 Security Researchers

October 15th, 2020 No comments

Following the MSRC’s 2020 Most Valuable Security Researchers announced during this year’s Black Hat, we’re excited to announce the top contributing researchers for the 2020 Third Quarter (Q3)! The top three researchers of the 2020 Q3 Security Researcher Leaderboard are: David Dworken (1800 points), Cameron Vincent (1780 points), and Yuki Chen (1380 points). Congratulations to …

Announcing the Top MSRC 2020 Q3 Security Researchers Read More »

The post Announcing the Top MSRC 2020 Q3 Security Researchers appeared first on Microsoft Security Response Center.

What to Expect When Reporting Vulnerabilities to Microsoft

September 21st, 2020 No comments

At the Microsoft Security Response Center’s (MSRC), our primary mission is to help protect our customers. One of the ways we do this is by working with security researchers to discover security vulnerabilities in our services and products, and then making sure those that pose a threat to customers get fixed. Many researchers report these …

What to Expect When Reporting Vulnerabilities to Microsoft Read More »

The post What to Expect When Reporting Vulnerabilities to Microsoft appeared first on Microsoft Security Response Center.

Congratulations to the MSRC’s 2020 Most Valuable Security Researchers

August 5th, 2020 No comments

Today we announce our Most Valuable Security Researchers for 2020! The MSRC Researcher Recognition program is an integral aspect of recognizing the ongoing partnerships with our community of talented security researchers who report through Coordinated Vulnerability Disclosure (CVD). These recognitions run throughout specific periods of the year and provide regular opportunities to recognize those who …

Congratulations to the MSRC’s 2020 Most Valuable Security Researchers Read More »

The post Congratulations to the MSRC’s 2020 Most Valuable Security Researchers appeared first on Microsoft Security Response Center.

Top MSRC 2020 Q2 Security Researchers Announced – Congratulations!

July 15th, 2020 No comments

We are excited to announce the top contributing researchers for the 2020 Second Quarter (Q2)! Congratulations to all the researchers who continue to rock the leaderboard, and a big thank you to everyone for your contribution to securing our customers and the ecosystem. The top three researchers of the 2020 Second Quarter (Q2) Security Researcher …

Top MSRC 2020 Q2 Security Researchers Announced – Congratulations! Read More »

The post Top MSRC 2020 Q2 Security Researchers Announced – Congratulations! appeared first on Microsoft Security Response Center.

Congratulating Our Top 2020 Q1 Security Researchers!

April 23rd, 2020 No comments

Following the second Security Researcher Quarterly Leaderboard and the 2020 MSRC Most Valuable Security Researchers criteria we published in February 2020, we are excited to announce the 2020 First Quarter (Q1) Security Researcher Leaderboard, listing our top contributing researchers for the last quarter. The top three researchers of the last quarter are: Zhiniang Peng (2870 …

Congratulating Our Top 2020 Q1 Security Researchers! Read More »

The post Congratulating Our Top 2020 Q1 Security Researchers! appeared first on Microsoft Security Response Center.

Recognizing Security Researchers in 2020

February 3rd, 2020 No comments

Is it too early to talk about the 2020 MSRC Most Valuable Security Researchers? Five months from now, at the end of June, the program period closes for researchers to be considered for inclusion in the Most Valuable Researchers list. The top researcher list will be revealed at Black Hat North America in August. For …

Recognizing Security Researchers in 2020 Read More »

The post Recognizing Security Researchers in 2020 appeared first on Microsoft Security Response Center.

Announcing MSRC 2019 Q4 Security Researcher Leaderboard

January 15th, 2020 No comments

Following the first Security Researcher Quarterly Leaderboard we published in October 2019, we are excited to announce the MSRC Q4 2019 Security Researcher Leaderboard, which shows the top contributing researchers for the last quarter. In each quarterly leaderboard, we recognize the security researchers who ranked at or above the 95th percentile line based on the …

Announcing MSRC 2019 Q4 Security Researcher Leaderboard Read More »

The post Announcing MSRC 2019 Q4 Security Researcher Leaderboard appeared first on Microsoft Security Response Center.

Announcing the Security Researcher Quarterly Leaderboard

October 17th, 2019 No comments

Right before Black Hat USA 2019, we announced our new researcher recognition program, and at Black Hat we announced the top researchers from the previous twelve months. Since it’s easier to track your progress with regular updates than with just an annual report, we are excited to announce the MSRC Q3 2019 Security Researcher Leaderboard, …

Announcing the Security Researcher Quarterly Leaderboard Read More »

The post Announcing the Security Researcher Quarterly Leaderboard appeared first on Microsoft Security Response Center.

A Call for Better Coordinated Vulnerability Disclosure

January 12th, 2015 No comments

For years our customers have been in the trenches against cyberattacks in an increasingly complex digital landscape. We’ve been there with you, as have others. And we aren’t going anywhere.  Forces often seek to undermine and disrupt technology and people, attempting to weaken the very devices and services people have come to depend on and trust. Just as malicious acts are planned, so too are counter-measures implemented by companies like Microsoft. These efforts aim to protect everyone against a broad spectrum of activity ranging from phishing scams that focus on socially engineered trickery, to sophisticated attacks by persistent and determined adversaries. (And yes, people have a role to play – strong passwords, good policies and practices, keeping current to the best of your ability, detection and response, etc. But we’ll save those topics for another day).     

With all that is going on, this is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them. 

In terms of the software industry at large and each player’s responsibility, we believe in Coordinated Vulnerability Disclosure (CVD).  This is a topic that the security technology profession has debated for years. Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks.

Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp. 

CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.  Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal. 

Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers. We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.  Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publically announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue. Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a “fix” has been provided to customers, and even after a “fix” is made publicly available only a very small amount are ever exploited. Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves.

Another aspect of the CVD debate has to do with timing – specifically the amount of time that is acceptable before a researcher broadly communicates the existence of a vulnerability.  Opinion on this point varies widely. Our approach and one that we have advocated others adopt, is that researchers work with the vendor to deliver an update that protects customers prior to releasing details of the vulnerability. There are certainly cases where lack of response from a vendor(s) challenges that plan, but still the focus should be on protecting customers. You can see our values in action through our own security experts who find and report vulnerabilities in many companies’ products, some of which we receive credit for, and many that are unrecognized publically. We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created.

Responding to security vulnerabilities can be a complex, extensive and time-consuming process.  As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account. 

To arrive at a place where important security strategies protect customers, we must work together. We appreciate and recognize the positive collaboration, information sharing and results-orientation underway with many security players today.  We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.

Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives. Software is organic, usage patterns and practices change, and new systems are built on top of products that test (and in some cases exceed) the limits of its original design. In many ways that’s the exciting part of software within the rapidly evolving world that we live in. Stating these points isn’t in any way an abdication of responsibility.  It is our job to build the best possible software that we can, and to protect it continuously to the very best of our ability. We’re all in.

Chris Betz
Senior Director, MSRC
Trustworthy Computing

[Note: In our own CVD policy (available at microsoft.com/cvd), we do mention exceptions for cases in which we might release an advisory about a vulnerability in a third party’s software before an update is ready, including when the technical details have become publicly known, when there is evidence of exploitation of an unpatched vulnerability, and when the vendor fails to respond to requests for discussion.]

A Call for Better Coordinated Vulnerability Disclosure

January 12th, 2015 No comments

For years our customers have been in the trenches against cyberattacks in an increasingly complex digital landscape. We’ve been there with you, as have others. And we aren’t going anywhere.  Forces often seek to undermine and disrupt technology and people, attempting to weaken the very devices and services people have come to depend on and trust. Just as malicious acts are planned, so too are counter-measures implemented by companies like Microsoft. These efforts aim to protect everyone against a broad spectrum of activity ranging from phishing scams that focus on socially engineered trickery, to sophisticated attacks by persistent and determined adversaries. (And yes, people have a role to play – strong passwords, good policies and practices, keeping current to the best of your ability, detection and response, etc. But we’ll save those topics for another day).     

With all that is going on, this is a time for security researchers and software companies to come together and not stand divided over important protection strategies, such as the disclosure of vulnerabilities and the remediation of them. 

In terms of the software industry at large and each player’s responsibility, we believe in Coordinated Vulnerability Disclosure(CVD).  This is a topic that the security technology profession has debated for years. Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyberattacks.

Those in favor of full, public disclosure believe that this method pushes software vendors to fix vulnerabilities more quickly and makes customers develop and take actions to protect themselves. We disagree. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment. It is necessary to fully assess the potential vulnerability, design and evaluate against the broader threat landscape, and issue a “fix” before it is disclosed to the public, including those who would use the vulnerability to orchestrate an attack. We are in this latter camp. 

CVD philosophy and action is playing out today as one company – Google – has released information about a vulnerability in a Microsoft product, two days before our planned fix on our well known and coordinated Patch Tuesday cadence, despite our request that they avoid doing so.  Specifically, we asked Google to work with us to protect customers by withholding details until Tuesday, January 13, when we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal. 

Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers. We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.  Other companies and individuals believe that full disclosure is necessary because it forces customers to defend themselves, even though the vast majority take no action, being largely reliant on a software provider to release a security update. Even for those able to take preparatory steps, risk is significantly increased by publically announcing information that a cybercriminal could use to orchestrate an attack and assumes those that would take action are made aware of the issue. Of the vulnerabilities privately disclosed through coordinated disclosure practices and fixed each year by all software vendors, we have found that almost none are exploited before a “fix” has been provided to customers, and even after a “fix” is made publicly available only a very small amount are ever exploited. Conversely, the track record of vulnerabilities publicly disclosed before fixes are available for affected products is far worse, with cybercriminals more frequently orchestrating attacks against those who have not or cannot protect themselves.

Another aspect of the CVD debate has to do with timing – specifically the amount of time that is acceptable before a researcher broadly communicates the existence of a vulnerability.  Opinion on this point varies widely. Our approach and one that we have advocated others adopt, is that researchers work with the vendor to deliver an update that protects customers prior to releasing details of the vulnerability. There are certainly cases where lack of response from a vendor(s) challenges that plan, but still the focus should be on protecting customers. You can see our values in action through our own security experts who find and report vulnerabilities in many companies’ products, some of which we receive credit for, and many that are unrecognized publically. We don’t believe it would be right to have our security researchers find vulnerabilities in competitors’ products, apply pressure that a fix should take place in a certain timeframe, and then publically disclose information that could be used to exploit the vulnerability and attack customers before a fix is created.

Responding to security vulnerabilities can be a complex, extensive and time-consuming process.  As a software vendor this is an area in which we have years of experience. Some of the complexity in the timing discussion is rooted in the variety of environments that we as security professionals must consider: real world impact in customer environments, the number of supported platforms the issue exists in, and the complexity of the fix. Vulnerabilities are not all made equal nor according to a well-defined measure. And, an update to an online service can have different complexity and dependencies than a fix to a software product, decade old software platform on which tens of thousands have built applications, or hardware devices. Thoughtful collaboration takes these attributes into account. 

To arrive at a place where important security strategies protect customers, we must work together. We appreciate and recognize the positive collaboration, information sharing and results-orientation underway with many security players today.  We ask that researchers privately disclose vulnerabilities to software providers, working with them until a fix is made available before sharing any details publically. It is in that partnership that customers benefit the most. Policies and approaches that limit or ignore that partnership do not benefit the researchers, the software vendors, or our customers. It is a zero sum game where all parties end up injured.

Let’s face it, no software is perfect. It is, after all, made by human beings. Microsoft has a responsibility to work in our customers’ best interest to address security concerns quickly, comprehensively, and in a manner that continues to enable the vast ecosystem that provides technology to positively impact peoples’ lives. Software is organic, usage patterns and practices change, and new systems are built on top of products that test (and in some cases exceed) the limits of its original design. In many ways that’s the exciting part of software within the rapidly evolving world that we live in. Stating these points isn’t in any way an abdication of responsibility.  It is our job to build the best possible software that we can, and to protect it continuously to the very best of our ability. We’re all in.

Chris Betz
Senior Director, MSRC
Trustworthy Computing

[Note: In our own CVD policy (available at microsoft.com/cvd), we do mention exceptions for cases in which we might release an advisory about a vulnerability in a third party’s software before an update is ready, including when the technical details have become publicly known, when there is evidence of exploitation of an unpatched vulnerability, and when the vendor fails to respond to requests for discussion.]

Microsoft partners with security community to help reduce risk

April 28th, 2011 No comments

A vulnerability is a weakness that enables a cybercriminal to attack computer hardware, software, or services. Companies or individuals sometimes find vulnerabilities in the software of other companies, and there are different ideas about what to do with that information. Some companies disclose it publicly, possibly with the idea of pressuring the owner to fix it quickly. However, this also exposes vulnerabilities to cybercriminals.

Last summer Microsoft announced that we would be working directly with researchers and vendors to minimize the security risks for customers through a process called Coordinated Vulnerability Disclosure (CVD). Last week we announced an update to this process.

Here’s a simple description of how CVD works:

Finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product or to a coordinator who will report to the vendor privately. The finder then allows the vendor time to diagnose and offer fully tested updates, workarounds, or other corrective measures before the finder discloses detailed vulnerability or exploit information to the public.

The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress. Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue.

For a more detailed description, see Microsoft Security Response Center: Coordinated Vulnerability Disclosure or watch a video about how CVD works at TechNet Edge.