Microsoft: We Don't Want to Zero-Day Our Customers

guest · Aug 11, 2022

The head of Microsoft's Security Response Center defends keeping its initial vulnerability disclosures sparse -- it is, she says, to protect customers.
August 12, 2022

BLACK HAT USA – LAS VEGAS—A top Microsoft security executive today defended the company's vulnerability disclosure policies as providing enough information for security teams to make informed patching decisions without putting them at risk of attack from threat actors looking to quickly reverse engineer patches for exploitation.

In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft's Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information.
Click to expand...

"If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers," Gupta says.
Sparse Vulnerability Information?
Microsoft—as other major software vendors—has faced criticism from security researchers for the relatively sparse information the company releases with its vulnerability disclosures.

They have noted that Microsoft's current practice of putting vulnerabilities into an "Exploitation More Likely" or an "Exploitation Less Likely" does not provide enough information to make risk-based prioritization decisions.
Click to expand...

Consistent with MITRE's CVE Policies
Gupta says Microsoft's decision about whether or not to issue a CVE for a vulnerability is consistent with the policies of MITRE's CVE program.

"As per their policy, if there is no customer action needed, we are not required to issue a CVE," she says.
Click to expand...

Log in or Sign up

Microsoft: We Don't Want to Zero-Day Our Customers

guest Guest

Log in or Sign up

Microsoft: We Don't Want to Zero-Day Our Customers

guest Guest

Useful Searches