Today’s prevalence of information technology means that ensuring that products and services used are secure is a critical part of risk management for many organizations. However, the complexity of modern software means that some vulnerabilities persist irrespective of how stringent the efforts. These can be exploited if found by malicious actors. It is therefore critical that they are reported to the affected vendors rapidly and securely.

Microsoft has long promoted the Coordinated Vulnerability Disclosure policy as a way to do just that. This paper outlines the processes involved and highlights approaches we found to be most effective in minimizing risk to our customers. It also acknowledges that this in an area with many different actors - government agencies, software developers, IT companies, security researchers, and increasingly other enterprises that develop products with software embedded in them – and explores the different roles they can play in making our online environment more secure.

Download policy paper>