Microsoft Launches 'Coordinated Vulnerability Disclosure' For Flaws

Microsoft is planning to replace the term “responsible disclosure”, with "coordinated vulnerability disclosure" as the default term for discussing vulnerability reporting, tech news site eWeek reported on Thursday.

The company has announced that it wants to move away from the terms “responsible disclosure” (RD), and the alternative of “full disclosure” (FD), in which details of a bug are immediately made public whether a patch has been prepared or not.

Instead, the company wants to adopt "coordinated vulnerability disclosure" (CVD). CVD is similar in practice to RD, with vulnerabilities being disclosed directly to the affected vendor, but emphasises the concept of collaboration.

Writing on his blog, Matt Thomlinson, general manager for security with Microsoft's Trustworthy Computing Group said: “In recognition of the endless debate between responsible disclosure and full disclosure proponents and its ability to detract from meaningful and productive industry collaboration and customer defense, we believe that the community mindset needs to shift, framing a key point - that coordination and collaboration are required to resolve issues in a way that minimizes risk and disruption for customers."

He stated that the company wants to develop RD into something more focused and secure, where the company and its research team can declare a flaw alongside ways to secure affected systems until a patch is made available.