While there are methods for producing 100% provible bug free code, these methods are very expensive to use, and result in development cycles that are likly to be 10 years or more. As such these methodologies tend only to be used by companies producing safety critical systems, as it is too expensive for commercial use; I don't know about you but I'm not willing to pay 1/2 (£1000+) the cost of my computer on an personal OS. Also for the shear size of MS's product portfolio, I the ammount of testing that would be required to fully test every aspect of a piece of software would also be phonomanal. Companies try to get round this by releasing the product for beta testing, but as with everything else, if no one tests something in a certian way, then it could cause the world to stop and no one would know. What I would assume that MS are doing is to go through each component in their products and harden/test it, this is likly to take upwards of 10 years anyway, so as such researchers are an invaluable resource for them, and responsible disclosure is a must.

Before everyone has a go at me, I take responsible disclosure as let the manufacturer know about the bug/flaw/gaping hole first, then maybe 1-2 months later let the world know, along with the documentation of how you found the hole, possible ramifications, proof of concept code, etc. this gives the company time to find the problem, fix it, and if necessary ask politly that you delay the release as it is difficult to fix, and then let their customers know and provide the fix.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6534/21070#21070