As part of an ongoing review of how our research activities have performed, we’ve taken the opportunity to redefine our process of disclosing vulnerabilities to better align with current good practice. As a result of this, we’ve prepared a new Co-ordinated Disclosure Policy and assigned members of our technical team to drive the processes that underpin it.
The first change is that we’ve moved from Responsible to Co-ordinated. This is largely a semantic change, but reflects the mature industry view that using the word responsible is loaded and puts researchers in a difficult position even where they have attempted to co-ordinate a disclosure. This is a view that has previously been recognised by Microsoft amongst others, so we believe the market is ready for the change. Continue reading