Adobe joins Microsoft’s security sharing scheme
Adobe has become the latest, and arguably most prominent, member of Microsoft’s security information program. Meanwhile Microsoft has revised its controversial “responsible disclosure” policy.
Adobe has followed 65 other firms in joining the Microsoft Active Protections Program (MAPP). This means Microsoft will give Adobe advance notifications of security bugs which it hasn’t yet patched, while Adobe will do the same with its own bugs.
MAPP launched in late 2008 as part of an overhaul which also brought the introduction of the Exploitability Index which gave information on how likely each bug was to be exploited, rather than simply how much damage a successful attack would do.
To date MAPP has mainly been joined by security firms which want to make sure their products prevent against bugs before they become public knowledge through Microsoft’s updates (at which point the race is on for hackers to exploit the bug before all users have patched their machines.)
It does certainly make sense for Adobe to sign up though. Other than Microsoft itself, it’s arguably one of the largest producers of software run by Windows users, and it may as well take advantage of the existing system so it can notify security firms of its vulnerabilities.
This isn’t the first time Adobe has taken Microsoft into account with its security policies. Since May 2009 Adobe has intentionally issued its quarterly scheduled security updates on the second Tuesday of the month, the same date as Microsoft’s own Windows update.
Microsoft has also announced an end to its strict policy of “responsible disclosure”, in which it argued that security researchers should keep all details of a bug completely quiet until the manufacturer had produced a complete fix. It’s now suggesting “coordinated vulnerability disclosure” in which those who find bugs are merely asked to hold back proof-of-concept code until the fix is complete. That means the researchers can publicize the problem, but not reveal exactly how it can be exploited.
Related Posts:
