Msg#: 4175084 posted 12:26 am on Jul 23, 2010 (gmt 0)
Microsoft's has submitted a proposal aimed at quelling one of the oldest debates in security circles: retiring the use of the term “responsible disclosure.”
The software maker wants to replace the term with the less pejorative phrase “coordinated vulnerability disclosure.” The hope is that software makers and researchers can put aside decade-old differences about the best way to handle critical defects so that end users are best protected.
“We don't want an emotionally laden term clouding the debate, and that's definitely gotten in the way of a lot of good discussions between like-minded people in security,” said Katie Moussouris, senior security strategist in the Microsoft Security Response Center. “We're really trying to reach out across the disclosure dividing lines and find the common ground where we all are. We all want to protect customers and users.”
Msg#: 4175084 posted 12:56 am on Jul 23, 2010 (gmt 0)
This has a bit to do with the recent incident that occurred when Google's Tavis Ormandy released details of a Windows bug without giving MS time to patch it. The argument for the change to "coordinated vulnerability disclosure" makes sense to me. It doesn't villanize the researchers who disclose these bugs to the same degree as "responsible disclosure" seems to.