, SecurityFocus 2002-07-23
It may be the most-used vendor bug reporting address in history. This week Redmond put "firstname.lastname@example.org" out to pasture in favor of a handy Web form.To improve the information-gathering phase of its security investigations Microsoft is moving away from the use of a dedicated e-mail address for contacting the company about security bugs, the company said Tuesday.
The Microsoft Security Response Center (MSRC) will continue to monitor email@example.com to accept vulnerability reports and to communicate with customers, according to a spokesman. But last weekend the company
The new vulnerability reporting form coaches bug reporters through the steps of describing which products are affected, the nature of the flaw and how an attacker might exploit it. Once a report is submitted, the process operates exactly as before, primarily through e-mail between the customer and MSRC staff, Microsoft said.
Under the previous reporting system, Microsoft typically needed to exchange several e-mails with the vulnerability finder before launching its own investigation, Microsoft said.
To encourage security professionals to work with Microsoft confidentially on security bugs, in 2000 the company began formally acknowledging experts who
Microsoft's security group received over 5,000 e-mails during the first eight months of 2000, according to the company's Web site.
Reaction to the new reporting system was mixed among the white hat hackers and security researchers most accustomed to telling Microsoft about its security holes.
A security researcher with EyeOnSecurity.net said he welcomed the new system. "I hope this standardization may be better for them and the security researcher -- so that both speak the same language," said "Obscure," who noted that Microsoft has recently had difficulty reproducing vulnerabilities he has reported to the company.
But some security professionals said the new form appears geared toward first-timers, and that experienced researchers will be unlikely to rely solely on the new system.
"I doubt that I will ever use the form. It is not flexible enough," said Thor Larholm, a security researcher with PivX Solutions, who has reported several browser bugs to Microsoft by e-mail.
Relying on a Web-based form would also eliminate the paper-trail researchers need to document their contacts with the vendor, according to Steve Manzuik, founder and technical lead at Entrench Technologies.
"I would use the form but also continue to send an e-mail to firstname.lastname@example.org for the simple reason that it makes tracking when the vendor was notified far easier," said Manzuik, co-moderator of the VulnWatch mailing list.
A check-box on the vulnerability report form allows bug finders to indicate if they can provide a program that demonstrates the flaw. According to
"If you do decide to provide a demonstration program, we recommend that you ensure it can't be used to cause harm to other users' systems. Similarly, we strongly recommend against testing a vulnerability on other users' systems, as this is illegal in most countries," states the instructions.
Microsoft's form does not require customers to provide their contact information, although it encourages bug finders to provide a telephone number and e-mail address for follow-up conversations.
Manzuik noted that researchers who wish to remain anonymous may eschew the use of the new reporting form, which could enable logging of the user's IP address, in favor of an anonymous e-mail system.