Microsoft

Culp Debate

Culp - It's time to end information anarchy
A Step Towards Information Anarchy: A Call To Arms - hellNbak
Information Anarchy: The Blame Game? - Edwards reaction on Culp essay
Security in an Open Electronic Society - Levy reaction on Culp essay
Peace of Mind Through Integrity and Insight - Manzuik reaction on Culp essay
Keeping Security Issues in the Open - Davies reaction on Culp essay
NEOHAPSIS - LeBlanc reaction on Culp essay
Security woes: Who is to blame? - Culp interview
MS says stop discussing hack exploits - Leyden paper
ACM: Digital Library: Computers and Society - Bollinger paper
Full Disclosure of Vulnerabilities – pros/cons and fake arguments (Vidstrom paper)
Microsoft's Responsible Vulnerability Disclosure, The New Non-Issue
Schneier - Crypto-Gram November 15, 2001

2001/11/15 : Schneier published his monthly newsletter.
He talks about Cert/CC creation and reacts here on Culp essay

"[Culp] claimed that we'd all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming...Read more

NEOHAPSIS - LeBlanc reaction on Culp essay

2001/11/02 : David LeBlanc, founding member of the Trustworthy Computing Initiative at Microsoft, defend Culp. 

"So a vendor who won't fix bugs unless their customers are threatened with active attack is a very different problem than one who fixes problems...Read more

"MS throttles research to conceal SW bugs" (Greene paper)

2001/11/09 : Thomas C. Greene expresses once again his opinion against Microsoft's way of handling vulnerability disclosure.

"Microsoft Security Manager Scott Culp revealed unilateral steps the company has taken to throttle the exchange of vulnerability ...Read more

Schneier - Crypto-Gram August 15, 1999

1999/08/15 : Here is the monthly newsletter written by Schneier on his blog. He speaks among other things about Back Orifice.

This artifact is part of the Back Orifice Bundle and the...Read more

Microsoft Vulnerability Disclosure

Announcing Coordinated Vulnerability Disclosure (Microsoft)
Coordinated Vulnerability Disclosure at Microsoft
Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)
Coordinated Vulnerability Disclosure: From Philosophy to Practice (Microsoft)
Coordinated Vulnerability Disclosure Reloaded (Microsoft)
Microsoft Vulnerability Research Advisories
Microsoft Says No to Paying Bug Bounties (Fisher paper)
Heart of Blue Gold – Announcing New Bounty Programs (Microsoft)
Filling A Gap In the Vulnerability Market – First Bounty Notification (Microsoft)
Peace of Mind Through Integrity and Insight - Manzuik reaction on Culp essay

2001/10/17 : "Code Red, Nimda and a few of the more recent worms were made possible not by the research that discovered the vulnerability they exploited but by the lack of awareness and training by system administrators who did not patch their systems." (p.1-2)

This artifact is part of...Read more

Coordinated Vulnerability Disclosure: From Philosophy to Practice (Microsoft)

2011/04/19 : Microsoft publishes a paper on CVD to explain in more details how it is working.

"Today, we’re providing more transparency and insight into our disclosure philosophy by announcing three updates to our disclosure practices – a CVD at Microsoft document, MSVR...Read more

Exploit Code on Trial (Poulsen paper)

2003/11/23 : "Security pros gathering at a Stanford University Law School conference on responsible vulnerability disclosure Saturday harmonized on the principle that vendors should be privately notified of holes in their products, and given at least some time to produce a patch before any...Read more

MS to force IT-security censorship (Greene paper)

2001/11/02 : On this paper, Thomas C. Greene expresses his opinion against Microsoft's way of handling vulnerability disclosure.

"We all know how Microsoft likes to bully its many 'partners', so it comes as no surprise that the Beast has decided to apply its...Read more

Vista contest offers cash for exploits (itnews paper)

2007/01/15 : "A US security firm is offering up to US$72,000 in bounties for the development of working exploits for Microsoft's Windows Vista and Internet Explorer 7." Read more

Microsoft Vulnerability Research Advisories

https://web.archive.org/web/20110425041124/http://www.microsoft.com/technet/secu…
Subscribe to Microsoft
Need help with PECE?
Join the PECE Slack channel