Ryan Naraine at eWeek has word of a new Microsoft security service:
Microsoft plans to unveil a new security advisories service next Tuesday as part of an aggressive long-term effort to revamp the way it reacts to publicly reported software vulnerabilities.
The pilot project, which is independent of the scheduled monthly security bulletins, represents a major shift in the way the Redmond, Wash.-based software maker communicates with customers when information on security flaws is published by gray hat hackers and private research outfits.
The new offering, dubbed Microsoft Security Advisories, gives engineers at the MSRC (Microsoft Security Research Center) an outlet for providing instant feedback, guidance and mitigations when researchers jump the gun and release vulnerability details before a patch is available.
This is very good news, good enough to warrant interrupting a vacation! In this new program, security experts at Microsoft will be able to issue advisories with detailed advice without having to wait for a formal update to work its way through the Microsoft bureaucracy.
According to Ryan Naraine’s story, the impetus for this new program was a pair of embarrassing episodes – one in which a patch was issued but not properly documented, and the other involving the issue of “poisoned” Windows Media files, for which a patch was issued only after three months.
When it comes to security, transparency is a very good thing.