A vulnerability is a weakness that enables a cybercriminal to attack computer hardware, software, or services. Companies or individuals sometimes find vulnerabilities in the software of other companies, and there are different ideas about what to do with that information. Some companies disclose it publicly, possibly with the idea of pressuring the owner to fix it quickly. However, this also exposes vulnerabilities to cybercriminals.
Last summer Microsoft announced that we would be working directly with researchers and vendors to minimize the security risks for customers through a process called Coordinated Vulnerability Disclosure (CVD). Last week we announced an update to this process.
Here’s a simple description of how CVD works:
Finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product or to a coordinator who will report to the vendor privately. The finder then allows the vendor time to diagnose and offer fully tested updates, workarounds, or other corrective measures before the finder discloses detailed vulnerability or exploit information to the public.
The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress. Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue.
For a more detailed description, see Microsoft Security Response Center: Coordinated Vulnerability Disclosure or watch a video about how CVD works at TechNet Edge.