Microsoft has started publishing details of third-party security flaws. This kind of thing has always been touchy, and developers have wrestled with it for years. While it’s important to make security flaws public, the question is always when to do so. Announce them before the vendor has a chance to fix them, and you give the bad guys time to exploit them. On the other hand, waiting too long leaves a window of vulnerability open, as well.
Microsoft will publish security bugs in third-party software, preferably after they’ve been patched. The first two to come up: flaws in Opera and Google Chrome. Both have already been fixed, but it’s that the Chrome flaw was in versions 6 and 8. Chrome is now up to version 10.
Says the company:
Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the Microsoft Vulnerability Research program unless there is significant evidence of active attacks in the wild,” Microsoft said. “If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor.
Google’s policy is to publish third-party vulnerabilities 60 days after alerting the developer. But Microsoft hopes others will adopt its system.