Find a Bug? Don't E-Mail Microsoft

Props to Mr Sweden for this.

It may be the most-used vendor bug reporting address in history. This week Redmond put "secure@microsoft.com" out to pasture in favor of a handy Web form.

To improve the information-gathering phase of its security investigations Microsoft is moving away from the use of a dedicated e-mail address for contacting the company about security bugs, the company said Tuesday.

The Microsoft Security Response Center (MSRC) will continue to monitor secure@microsoft.com to accept vulnerability reports and to communicate with customers, according to a spokesman. But last weekend the company removed the e-mail address from the "Alert Us" page at its security site. In its place is a new Web-based input form designed to gather the information needed to start an investigation, the Microsoft representative said.

The new vulnerability reporting form coaches bug reporters through the steps of describing which products are affected, the nature of the flaw and how an attacker might exploit it. Once a report is submitted, the process operates exactly as before, primarily through e-mail between the customer and MSRC staff, Microsoft said.

Under the previous reporting system, Microsoft typically needed to exchange several e-mails with the vulnerability finder before launching its own investigation, Microsoft said.

To encourage security professionals to work with Microsoft confidentially on security bugs, in 2000 the company began formally acknowledging experts who discretely report vulnerabilities to Microsoft. The acknowledgements appear in a special section of the firm"s security bulletins.

Microsoft"s security group received over 5,000 e-mails during the first eight months of 2000, according to the company"s Web site.

Reaction to the new reporting system was mixed among the white hat hackers and security researchers most accustomed to telling Microsoft about its security holes.

A security researcher with EyeOnSecurity.net said he welcomed the new system. "I hope this standardization may be better for them and the security researcher -- so that both speak the same language," said "Obscure," who noted that Microsoft has recently had difficulty reproducing vulnerabilities he has reported to the company.

News source: Security Focus

Report a problem with article
Next Article

.Net Roundup

Previous Article

.NET Server Release Candidate 1 (RC1) CPP