cross-posted from: feddit.org/post/899847
Edit for an addition: If you are interested in the technical details of this bug, you can read about it here.
Several Cybersecurity firms have criticized Microsoft for mishandling bug reports - Coordinated Vulnerability Disclosure (CVD) - claiming that Microsoft’s lack of proper communication with security researchers could deter future vulnerability disclosures, putting users at greater risk.
A CVD is a widely adopted processes in security research. When independent researchers detect a vulnerability of a vendor like Microsoft, they report the issue with all the details, allowing the vendor to fix it before it gets published. Typically, software vendors acknowledge the researcher’s work and sometimes reward them for their contribution. In a recent post on its website, however, Zero Day Initiative (ZDI) accuses Microsoft of a “lack of transparency” which “leaves researchers who practice CVD with more questions than answers”.
ZDI refers to a Microsoft patch release in in July (CVE-2024-38112), which Microsoft said was being exploited in the wild.
“We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft”, the firm writes.
“However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix.”
“CVD doesn’t work if the only ones coordinating are the researchers,” the ZDI says. They add that there are multiple occasions from others vendors. “The lack of coordination doesn’t just hurt the vendor/researcher relationship. It hurts the end users.”
ZDI concludes:
Why is CVD not working? Have the number of bugs being disclosed increased to the level where vendors simply cannot cope with the level of coordination? Have budget cuts reduced the number of response personnel vendors employ? Has the rush to automation come at the expense of coordination? Are researchers just reporting to an API and no humans are reviewing the reports? As I said, we’re left with more questions than answers.