Microsoft puts in new security update policy for third party store apps

Microsoft has fully embraced the app store model for many of its current products., That includes Windows Phone 8 and Windows 8, which recently went over the 100,000 apps mark in the Windows Store. However, some third party apps that are published by Microsoft in those stores could have security problems that are discovered later. Today, Microsoft said that any third party apps that are released via their download store fronts will be required to update their apps if a major security issue is found.

In a post today on Microsoft's Security Response Center blog, the company went over their new policies for third party app security updates. The policy covers apps published in the Windows Store (Windows 8) Windows Phone Store (Windows Phone 7/8) along with the Office Store (Office 2013/365) and Azure Marketplace (Windows Azure). The blog states:

Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue. This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.

The blog adds that Microsoft will work with any app developer who discovers they need more than 180 days to fix any security issue with their apps.

Source: Microsoft | Image via Microsoft

Report a problem with article
Previous Story

New batch of five Windows 8.1 Preview fixes released

Next Story

New Windows Phone 8 Facebook beta lets you unfriend and unlike

6 Comments

Commenting is disabled on this article.

The timeframe for a security fix should be a monthly cycle like Microsoft's monthly security patches and also depends on the severity of the flaw. 30 days sounds should be a norm routine to me.

sn0wbl1tz said,
The timeframe for a security fix should be a monthly cycle like Microsoft's monthly security patches and also depends on the severity of the flaw. 30 days sounds should be a norm routine to me.
Except Microsoft very rarely releases a patch within 30 days of discovery. They usually take months to implement and test, they just release all the completed ones every month.

It takes a long time to properly assess the full extent of a security flaw, check for related flaws elsewhere, implement a full fix and then test fully to make sure that it both fixes the flaw AND doesn't break anything else. Releasing early with a simple fix for the problem reported can tip hackers off to a flaw that they can then look for elsewhere and exploit before MS can patch the rest. Delaying can sometimes be the safer thing to do.

Good to hear. I know folks who object to the closed garden on principle, but sadly? Its more beneficial, I think, to the average user.

If this is bad for someone, its either due to ideology or more sophisticated needs (IT departments). For most everyone else, its good to see. Certainly, I like the idea of apps woth major security issues being pulled from the store if the creator can't or won't fix them. The only question is, "what about existing users?"

spy beef said,
180 days is too long. It should be 30 days.

How about 45-60, depending on severity? Granted, I have NO idea how long it takes to write a fix and test, you know? Not a developer...