The cybersecurity firm Zero Day Initiative (ZDI) has criticized Microsoft for mishandling bug reports. ZDI claims that Microsoft’s lack of proper communication and coordination with security researchers could deter future vulnerability disclosures, putting users at greater risk.
Coordinated Vulnerability Disclosure (CVD) is a widely adopted practice where researchers report vulnerabilities to vendors, allowing them time to fix the issue before the details are publicized. Typically, vendors acknowledge and sometimes reward researchers for their contributions. However, ZDI asserts that Microsoft is falling short in this respect.
ZDI’s complaints stem from a recent incident involving a critical vulnerability, CVE-2024-38112, in the Windows MSHTML platform. According to ZDI, they reported this actively exploited vulnerability to Microsoft in May, but when Microsoft released a patch last week, ZDI was not acknowledged. Another researcher from Check Point, who had also observed the vulnerability being exploited, was similarly surprised by the patch release, noting a lack of communication from Microsoft. “Coordinated disclosure is not unilateral coordination,” the Check Point researcher commented on Twitter.
Another point of contention for ZDI is the impact scores Microsoft assigns to vulnerabilities. For instance, Microsoft rated a recently discovered RADIUS vulnerability as ‘important’, whereas the researchers who found it deemed it ‘critical’. This discrepancy can significantly influence how quickly organizations deploy updates. “A simple disagreement can drastically change the security posture for millions of people,” ZDI remarked. We also saw this with a zero-click RCE vulnerability in Outlook that Microsoft has labeled as “important” instead of “critical”.
Dustin Childs, a ZDI researcher, expressed frustration over vendors’ lack of transparency and proper acknowledgment. “Vendors want researchers to trust them, but they’re not taking the necessary steps to earn our trust,” he stated. Childs outlined the minimal expectations from vendors: acknowledging receipt of reports, confirming or denying findings, informing researchers when patches are available, and providing appropriate credit.
“If you don’t offer a reward and you don’t coordinate with researchers or thank them properly, why would anyone report bugs to you?” Childs asked rhetorically. He warned that researchers might cease reporting vulnerabilities to companies with poor communication, which doesn’t eliminate the vulnerabilities but leaves them open to exploitation by malicious actors.
ZDI’s criticisms are not isolated to Microsoft alone; they highlight a broader issue within the industry. “CVD doesn’t work if researchers are the only ones coordinating,” Childs added.
The improper handling of vulnerability reports strains the relationship between researchers and vendors and jeopardizes the security of end users. It diminishes users’ ability to assess risks accurately and undermines trust in security patches.
In response to these ongoing issues, ZDI announced the launch of the Vanguard Awards at this year’s Black Hat conference. These awards aim to recognize and reward vendors with excellent security advisories, transparent communication, collaboration, improvement, and quick patch deployment.
The broader implications of this situation suggest that the number of disclosed bugs might have outpaced vendors’ capacity for coordination. Budget cuts, a rush towards automation, and inadequate human review processes may also contribute to the problem. Ultimately, improving CVD practices benefits everyone involved—researchers, vendors, and users.
Microsoft has not made any public comments yet, although we saw that the Microsoft Response team had responded to Haifei Li, “[MR] has acknowledged the problem to me and hopefully the communications will be much better!” However, this specific response is unrelated to the ZDI article published six days after that tweet.
