Microsoft outlined what it does with incoming vulnerability research, how it designates flaws and playing the cloak-and-dagger game with hackers.
In a Q&A with Ryan Naraine, Jonathan Ness, the lead software engineer on Microsoft's SWI Defense team, addressed a big emerging issue between the software giant and security researchers: Who has the onus to reproduce the flaw? Researchers say Microsoft puts the onus on them to reproduce an issue before doing anything. Microsoft says that's not the case.
What happens when a researcher reports a vulnerability to Microsoft? Ness says:
When a bug report comes in, the MSRC guys will look it over and work on making sure we have all information to help us reproduce the issue. They will open a ticket, notify the researcher and pass it on to the SWI React team. If it's something the MSRC flags as critical, SWI React gets on the ball with the MSRC and the [affected] product team immediately.
The priority is to reproduce the vulnerability, look closely at the surrounding code and understand all potential risks. Once they figure that out, we come in to look for mitigations and workarounds to divert the flow of [attack] code-try to block the vulnerable code from being hit...
Who has to prove the vulnerability? Ness notes:
We try to reproduce every vulnerability that comes in. We really do try. We try to gather all the information, whether it's just an e-mail notice or if there's a sample exploit. We will look at the code, build the test tools and try really hard to find what the [researcher] is reporting. If we can't, our only option is to go back to them and ask them to help us reproduce it.
If possible, we'll try to set up a machine and ask them to hit us with an attack so we can try to capture it. Our priority is to reproduce it, figure out the problem, and then get it fixed.
From there, Ness' team figures out whether an incoming flaw is worth an advisory or detailing technical workarounds on its SWI blog. But once you get to the blog posting the cloak and dagger games begin. Ness has to walk a line between providing details to users and giving hackers ammo.