back to article Microsoft imposes security disclosure policy on all workers

Microsoft has implemented a new company policy requiring all employees to follow a detailed set of procedures when reporting security vulnerabilities in third-party products. The practices are an evolution of the coordinated vulnerability disclosure doctrine it proposed in July. They're intended to simplify communication among …


This topic is closed for new posts.
  1. LuciusonSecurity

    Microsoft internal security policies

    It is great to see that Microsoft is actively embracing the need to drive positive change in building secure software in the Industry. While there is still a long way to go, its a great step forward. I wish newer entrants learn from the mistakes made by Microsoft and other product vendors ten years ago. I wrote about it in my post "Facebook faces the same security threats that Microsoft did years ago?" @

  2. Anonymous Coward

    20 Days Old news

    "The policy (MS Word document here) applies to ..."

    The Security Disclosure Policy is in MS Word ? Good one :o)

    1. Rovindi


      mmmm, was wondering about that one as well...

  3. Shannon Jacobs
    Gates Horns

    Microsoft should be ashamed! ROFLMAO

    Big weapon mentality of Microsoft FAILS again. Possible solutions:

    1. Hold Microsoft legally liable for damages caused by misuse of the poorly designed weapons. (Nonstarter and ROFLMAO.)

    2. Create REAL competition in the OS market, for example by dividing Microsoft into separate competing companies. (Ditto squared and cubed.)

    Oh well. Whatever you can say about Microsoft's so-called software, you have to admit that their economic model works. I've concluded that the most important failure of the OSS alternatives is that their economic models are inferior. So here's a suggested alternative economic model:

    1. Anonymous Coward

      Did you actually read the article?

      Given that the article is about security bugs that Microsoft researchers discover in other people's code, I think it is pretty clear you didn't. I think the FAIL is fairly and squarely in your court on this occasion.

  4. amanfromMars 1 Silver badge

    Mission EMPossible?

    "Under the policy, Microsoft employees who discover vulnerabilities will report them privately to the third-party organizations responsible. Encrypted email is the favored medium, but only after the employee has identified the right third-party person to receive the report. "

    Good luck with finding that right third-party person.

  5. Anonymous South African Coward Bronze badge


    ...and Security doesn't go well together.

    The only thing that's secure is a locked-out admin password on a Win2k3 domain controller - with no other admin accounts available.

This topic is closed for new posts.

Other stories you might like