Microsoft has a new security service that will provide an immediate response when researchers publicise unpatched vulnerabilities.
The pilot program, run by the Microsoft Security Response Center (MSRC) and called simply Microsoft Security Advisories, complements the monthly scheduled Security Bulletins ordinarily accompanied by patches.
Unlike the bulletins, though, advisories will not have to meet any fixed schedule, being issued instead as soon as possible after a vulnerability is disclosed.
The advisories will be used to address issues arising between the monthly bulletins, including vulnerability disclosures and phishing scams.
The advisories "will address security changes that may not require a security bulletin but that may still impact customers' overall security," says Nick McGrath, Microsoft's head of platform strategy. "Customers have told us that they want more prescriptive and timely guidance on security issues."
In the past, Microsoft has limited its detailed comments to the monthly bulletins, responding to other issues with short statements. A noticeable shift came last month when MSRC program manager Stephen Toulouse wrote an MSRC blog to discuss a flaw that had been disclosed in Windows 2000 systems. Typically, Microsoft has used such discussions to downplay the severity of unpatched flaws.
The advisory system is the latest development in an ongoing debate over how software vendors and security researchers should balance the need for users to be aware of vulnerabilities with the need for discretion. Microsoft has criticized security researchers for discussing flaws before a patch has been released. For their part, many researchers have said they only disclose vulnerability information if they are unable to convince Microsoft to take action.