Coordinated Vulnerability Disclosure
Microsoft's Approach to Coordinated Vulnerability Disclosure
Under the principle of Coordinated Vulnerability Disclosure (CVD), researchers disclose newly discovered vulnerabilities or content-related issues in hardware, software, or services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The researcher gives the vendor the opportunity to diagnose the issue and provides fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.