‘Everyone is welcome’ – Microsoft security panel offers different perspectives on vulnerability disclosure process
BlueHat is back following pandemic-induced hiatus
Like so many events that fell victim to social distancing during the pandemic, Microsoft’s annual BlueHat conference was cancelled for both 2020 and 2021.
This week the Microsoft Security Response Center (MSRC) instead held a virtual panel event discussing vulnerability disclosure.
Firstly, MSRC’s Jarek Stanley outlined the process, stressing that anybody was welcome to make a submission.
“If it meets our bar, we start working with the relevant engineering group to start on a fix, to make sure the issue is understood and resolved,” he said. “Throughout that process the case manager will keep everyone involved up to date.”
Both Boris Larin of Kaspersky’s Global Research and Analysis Team and Dr Nestori Syynimaa, senior principal security researcher at Secureworks, joined the panel, and said their experience of submitting bugs had been a positive one.
However, warned Nestori, it’s important to be patient and describe issues clearly.
“For instance, I am doing research mainly in ID and when we go to identity things they can be very difficult, and there might be in the world only five people who know about this,” he said.
“So as a researcher, you need to be sometimes a little bit patient, and you need to write your report quite specifically with all the concepts, all the steps, so that you can verify that the bug really exists.”
Two sides to every submission
As an ex-MSRC staffer himself, Nate Warfield, chief technology officer at Prevailion, has worked on both sides of the fence, and said that a good relationship is key.
“There are some researchers that can be less than friendly, more combative,” he said.
“When you can get to know people, you can work through your differences before it becomes something that’s either being talked about on the news or causing a lot of headaches for people inside or outside the company.”
But, added Nestori, it can sometimes worth being pushy.
He said how his first bug bounty was rejected, with the reason being the fault was “by design”.
“I asked a couple of times, ‘Could you take a look again, because it looks to me quite bad? The next email I got said OK we are considering a bounty, and I got $20,000 for that.”
Larin said his own submissions in the past were treated seriously and fixed quickly but queried the clarity of Microsoft’s security boundaries.
MSRC’s vice president Aanchal Gupta said: “Pretty soon you will see us publishing something. It won’t be perfect by any means, but with your feedback over time we will make improvements.”
The panel members also discussed mitigation timelines, agreeing that the process could sometimes seem slow.
Warfield concluded: “The cost of getting it right is beyond what most people understand. You’re talking about an ecosystem that’s measured in billions of desktops and servers, so if something goes wrong, the entire world is impacted.”