There's an interesting story up on The Register from Toorcon. Since I wasn't at Toorcon, I can't confirm it, and I haven't seen any other stories that don't solely reference The Register's article.
Katie Moussouris, a Microsoft security strategist, told the crowd that Microsoft would not sue or press charges against ethical hackers who report security flaws in their websites.
This is a huge move in the right direction in my opinion. Web security is something that plagues almost everyone and it's good to see Microsoft making a move to improve their web security. Let's hope that more companies will follow Microsoft's move.
Let's also hope that Microsoft puts out something official on this subject, because so far... the only original piece I've seen is The Register's article.
If more comes on this subject, I'll be sure to blog about.
Comments (2)
PayPal released a similar policy in the same general timeframe.
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside
My commentary on the policy is here:
http://securityretentive.blogspot.com/2007/11/some-comments-on-paypals-security.html
Posted by Andy Steingruebl | April 21, 2008 2:58 PM
Posted on April 21, 2008 14:58
It's true, Microsoft Security Research Center (MSRC) is such a pleasure to work with. I've been helping them find flaws (http://www.impactalabs.com/news/news.aspx or http://www.microsoft.com/technet/security/acknowledge/archive.mspx) for the last while.
--Kevin
Posted by Kevin Lam (IMPACTA) | May 4, 2008 10:02 PM
Posted on May 4, 2008 22:02