Microsoft paper raises issue of who researchers should report bugs to

In the fight against cyber attackers one of the contentious issues is how much information should defenders disclose and to who. Ethical researchers, for example, will tell a vendor of a vulnerability and give it time to create a patch before publicly releasing news of their finding. This is called responsible disclosure.

On the other hand, some argue that full disclosure to the public of a bug or serious flaw is the best way to pressure vendors not only to fix problems fast, but also to improve their product development to avoid embarrassing security disclosures.

The problem, of course, is that full disclosure also gives attackers notice of holes to go after, so they quickly modify their malware.

The debate has come to the fore again with the release last month by Microsoft of a report on proposed cybersecurity norms for building trust in ICT systems.

These suggested norms include obligations of countries to not allow anyone to author malicious cyber activity within their borders, that countries shouldn’t target critical infrastructures of others in times of peace, limiting nation-state activity against commercial, mass-market ICT systems; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. The report suggests a model for creating these norms that would include the ICT industry, which Microsoft suggests has often been left out.

But Kevin Townsend notes in a story for that part of the Microsoft report is controversial because the company suggests what it calls  ‘co-ordinated disclosure’ be the norm for researchers who want to disclose bugs. Co-ordinated disclosure allows these warnings to be revealed to computer emergency readiness teams (CERTs), usually official organizations created or backed by governments. Still, the suggestion is disclosure not be fully public.

To CISOs who have to deal with zero-day threats the debate may seem quite clear: Giving the enemy any advantage is wrong, so full disclosure is out of the question. Townsend quotes researchers at a security vendor who favours responsible disclosure but has some doubts effective international norms can be imposed on criminals or cyber intelligence agencies of certain countries looking for ICT vulnerabilities.

Then there’s also the problem after a norm has been agreed upon of laying the blame for an attack at a country given the multiple ways attackers can hide their attacks. Microsoft suggests a committee of experts to rule on the source of severe attacks.

As for the international development of cybersecurity norms, note that at last week’s North American leaders’ summit, Canada, the U.S. and Mexico pledged “to promoting stability in cyberspace based on the applicability of international law, voluntary norms of responsible state behaviour during peacetime, and practical confidence-building measures between states.

“The leaders affirmed that no country conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of it to provide services to the public; that no country should conduct or knowingly support activity intended to prevent national computer security incident response teams from responding to cyber incidents, or use its own teams to enable online activity that is intended to do harm; that every country should cooperate, consistent with its domestic laws and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory; and that no country should conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors.”

Also, at the G7 summit in May the countries — including Canada —  promised to promote “a strategic framework of international cyber stability consisting of the applicability of existing international law to state behavior in cyberspace, the promotion of voluntary norms of responsible state behavior during peacetime, and the development and the implementation of practical cyber confidence building measures between states.”

What do you think: Full or limited disclosure? Let us know in the comments section below.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now