In a statement, Redmond announced that it will serve as vulnerability coordinator when one of its employees discovers a security problem that affects software from other companies.
If an outside researcher reports a problem to the Microsoft Security Response Center (MSRC), The Vole will tell the world.
In a missive with the catchy title “Coordinated Vulnerability Disclosure at Microsoft,” it explained how its researchers will handle the discovery of holes in other software makers’ products.
Microsoft says it will contact the software maker whose application is affected and coordinate public disclosure with the outfit.
This will make sure that a fix is ready before the public is informed of the problem via an MSRC advisory.
It is not a full disclosure policy. That happens when researchers reveal technical details of the vulnerability without waiting for a vendor to come up with a fix.
The worry is that if Vole does not tell the world and its dog about the flaws it finds, then vendors don’t have to release fixes.
It seems that Microsoft does not believe in enforcing any deadline of its choosing on other software outfits, which might blunt some of the good sides of this policy.