Skip to main content
close search
site logo
Dive Brief

Microsoft revamps how it will disclose vulnerabilities

The company said the additional disclosure method using the Common Security Advisory Framework will help organizations better prioritize CVEs.

Published Nov. 15, 2024
David Jones's headshot
Reporter
Microsoft President and Vice Chair Brad Smith speaks April 12, 2023, at the Semafor World Economy Summit in Washington D.C.
Microsoft President and Vice Chair Brad Smith speaks April 12, 2023, at the Semafor World Economy Summit in Washington. The company is expanding its vulnerability disclosure process in a bid to make remediation more efficient. Drew Angerer via Getty Images

Dive Brief:

  • Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.  
  • CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information. 
  • The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.

Dive Insight:

The embrace of CSAF marks a further step toward transparency by Microsoft, which announced an overhaul of its security culture a year ago, under a program called the Secure Future Initiative. 

Microsoft launched the program in response to a state-linked hack of Microsoft Exchange Online, which resulted in the theft of tens of thousands of emails from the U.S. State Department and the intrusion into other sensitive customer accounts. 

The U.S. Cyber Safety Review Board released a withering report in April, calling the 2023 hack entirely preventable and noting the prioritized speed to market over security in how Microsoft developed its products.  

The Cybersecurity and Infrastructure Security Agency has advocated adoption of the CSAF format for more than two years, in order to help manage the onslaught of security vulnerabilities that network defenders need to analyze and remediate. 

“Software vendors work constantly to understand if their products are impacted by a new vulnerability,” a CISA spokesperson told Cybersecurity Dive via email. “CSAF provides our community a standardized approach for vendors to disclose security vulnerabilities to end users in an accelerated and automated way."

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell