Listening on All Ports

By now, you may have seen that Microsoft has changed the name of the vulnerability reporting process we follow from “Responsible Disclosure” to “Coordinated Vulnerability Disclosure“. 

First, I’d like to thank each and every one of the reviewers, especially those who were willing to be thanked and acknowledged for providing their feedback.  There is a range of opinions of the folks on that list, and I expect many of them will share more of their thoughts in the coming days and weeks.  For those of you who provided feedback but declined to be thanked in my post, a sincere thanks to you as well for your time and thoughts, which were very valuable.  I look forward to continuing the disclosure dialogue with all of you.

Second, I’m reiterating the request we made for community feedback on the topic of disclosure.  If there’s anything you need clarified about what we’re saying, I’m happy to provide context on where this is coming from, as it’s been in the works for months now here at Microsoft, as well as in the ISO forum where the term “Responsible” was dropped from the name of the “Vulnerability Disclosure” draft standard back in April 2010.

You can reach me on Twitter as k8em0 (pronounced “Katie” “mo”, NOT “Kate” “emo”!!), or via email using katiemo at you know where.

If you want to talk in person, I will be in Vegas next week for BlackHat and DefCon, so find me or any of the other Microsoft people, talk to us, and keep the conversation going!  We all have our opinions.  Talking to each other, *especially* when our opinions differ is the only way we can evolve this industry.