Microsoft credits researchers for hacking

Security researchers free to investigate Microsoft's online services for security bugs without fear of prosecution

Security researchers are free to investigate Microsoft's online services for security bugs, without fear of prosecution - as long as they submit the bugs they find "responsibly" to Microsoft, the company said this week.

What's more, this policy has been in place at least since July of 2007, Microsoft said, although it appears to be news to most researchers.

The immunity from prosecution for such research is a significant issue, as even legitimate security researchers are in danger of prosecution if they report flaws they've found on third-party online services.

However, Microsoft said this week it wants to encourage legitimate researchers to carry out their work, and is willing to stand by its policy of not suing them, as long as disclosure is carried out in a way that doesn't pose a danger to users.

"Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions," said Microsoft security response communication manager Bill Sisk, in a statement provided to journalists. "As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services."

Sisk pointed to a company website - part of the Microsoft Security Response Center (MSRC) - set up in July 2007 expressly to credit researchers who responsibly disclose bugs in Microsoft online services.

In its FAQ, the site states that "Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities".

Sisk's remarks followed a Saturday talk by Microsoft security strategist Katie Moussouris at ToorCon in Seattle, in which Moussouris reiterated the company's promise not to sue responsible researchers.

According to a report in IT journal The Register, Moussouris said Microsoft is pushing to add a provision to an ISO standard which would protect such "ethical hackers."

Microsoft has long championed "responsible disclosure", a position that has frequently brought it into conflict with researchers who feel that the company is not efficient enough at fixing security flaws.

Some researchers have taken the position that if a company takes too long to disclose a flaw, that company is putting users at risk, and therefore the flaw can legitimately be disclosed to the public.

Where it comes to online services, such a position is more difficult, because research involves probing software running on systems belonging to a third party.

The line between such research and an attack is unclear. In 2006, for instance, the University of Southern California prosecuted researcher Eric McCarty after he produced evidence of a security bug in the university's website.

At the time, Michael C. Zweiback, Assistant US Attorney for the Central District of California, told security industry journal SecurityFocus: "There is a right way to do penetration testing, and there is a wrong way. And Mr. McCarty's way was the wrong way."

Microsoft's MSRC website has a policy of recognizing the names of researchers who responsibly disclose one or more security bugs in Microsoft online services and work with the company to fix the problems.

Join the newsletter!

Error: Please check your email address.

More about BillISOMicrosoftPromiseProvisionProvisionSecurityFocus

Show Comments

Market Place