Microsoft announced at the Black Hat security conference in Las Vegas on Thursday that it is formalising its programme of informing third-party software vendors of security problems with products that run on top of Windows.
"We've seen the threat environment change," said Andrew Cushman, director of the Microsoft Security Response Center.
The Microsoft Security Response Center already reports vulnerabilities to other companies, but now it is asking for recognition in finding the vulnerability. Microsoft will not post advisories on any of the third-party security issues it finds, as it does with vulnerabilities found in its own software, Cushman said.
The issue of responsible disclosure is under constant debate, with vendors often arguing that researchers are too quick to go public when they find a vulnerability, and researchers countering that, if they didn't go public, the vendors would drag their heels on fixing the problem.
"Microsoft is in a unique position to help in that dimension," he said. "We bring a little different gravitas to the table. I think we can actually change the dynamic around responsible disclosure."
Earlier in the week, Microsoft said it would be giving third-party vendors an advance look at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly 'Patch Tuesday' updates. The company also announced it would help companies prioritise the vulnerabilities contained in its updates.
