A day in the life of a MS patch

Posted by bink on September 12 2003, 11:12 PM. Posted in Security.

Considering all the attention that's been given to Microsoft's Trustworthy Computing Initiative, I expected the company would have a platoon of security specialists sequestered in a NORAD-like bunker under Washington State's Mt. Rainier, all staring at giant plasma displays showing DEFCON ratings, graphical virus and worm progress reports. I imagined various personnel with strange symbolic shoulder patches on their uniforms running off to secret elevators with bodyguards and bulletproof briefcases handcuffed to their wrists.

In reality, the MSRC process and facilities aren't quite so glamorous. However, the resources that Microsoft applies to each vulnerability do put the company's money where its mouth is when it comes to Trustworthy Computing.

According to MSRC security program manager Stephen Toulouse, the first step in the security response process is the point at which Microsoft is made aware of a vulnerability. "We receive vulnerability reports through a variety of channels," said Toulouse. In some cases, the MSRC is notified by security researchers and others through a widely publicized e-mail address --- secure@microsoft.com. Some researchers have a direct line to a specific member of the MRSC team. Researchers are not compensated for their efforts, according to Toulouse. In addition to the researchers in the security community, Microsoft also has teams internally that find and report vulnerabilities to the MSRC.

read whole story