Skip to main content
close search
site logo
Dive Brief

Microsoft embraces common weakness enumeration standard for vulnerability disclosure

The policy change is part of the company’s wider effort to improve security practices and become more transparent following years of scrutiny.

Published April 10, 2024
David Jones's headshot
Reporter
Microsoft's visitor center at its Redmond campus.
Stephen Brashear via Getty Images

Dive Brief:

  • Microsoft said it will publish root cause data for its security vulnerabilities using the Common Weakness Enumeration industry standard, in a blog post released Monday
  • For decades, Microsoft has used its unique taxonomy to describe the causes for vulnerabilities. The change is part of a larger effort by the company to make its products and services more secure and boost transparency. 
  • “This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases,” said Lisa Olson, senior program manager, security release at Microsoft, in the blog post.

Dive Insight:

The change is “core to the goals” of Microsoft’s Secure Future Initiative, a program the company announced in November to overhaul the way it approaches security. 

Microsoft unveiled the plan months after a state-linked threat group attacked Microsoft Exchange Online and gained access to customer emails. The overhaul was a comprehensive plan to transform the way the company produced software, with promises to become more transparent and enable a faster response to security vulnerabilities. 

“At a minimum, this move by Microsoft will enable better communication between and among security practitioners, because all parties will be using a common lexicon, and entities responding to new Microsoft vulnerabilities won’t have to cross walk the new Microsoft root cause data to CWE data,” said Emile Monette, director of value chain security at Synopsys Software Integrity Group. 

Charlie Bell, executive VP, Microsoft Security, said in November during the Secure Future Initiative announcement that the company set a goal of reducing the amount of time required to mitigate cloud vulnerabilities by 50% and would also speak out against non-disclosure restrictions placed on security researchers. 

Microsoft is taking steps to be more transparent and forthcoming, said Amy Chang, senior fellow of cybersecurity and emerging threats at R Street Institute. The company released a record, 147 patches for Windows and related software in the most recent Patch Tuesday update. 

At a time when there is greater scrutiny on Microsoft's failures or deficiencies in security, making a substantive change in how the company approaches examining root causes of security vulnerabilities would be a smart move,” Chang said via email.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell