Vulnerability disclosure

Uma discussão interessante sobre "vulnerability disclosure" num blog da Microsoft:
Coordinated Vulnerability Disclosure: Bringing Balance to the Force

Depois da Responsible Disclosure ("não digam a ninguém, até que a empresa se resolva a publicar um remendo") e da Full Disclosure ("digam a toda a gente para forçar a empresa a publicar um remendo") aparece a Coordinated Vulnerability Disclosure. Mas:

"Make no mistake about it, CVD is basically founded on the initial premise of Responsible Disclosure, but with a coordinated public disclosure strategy if attacks begin in the wild. That said, what’s critical in the reframing is the heightened role coordination and shared responsibility play in the nature and accepted practice of vulnerability disclosure. This is imperative to understand amidst a changing threat landscape, where we all accept that no longer can one individual, company or technology solve the online crime challenge."

A ideia surge depois da confusão entre a MS e um engenheiro da Google que descobriu uma vulnerabilidade no "Windows Help and Support Center":
MS Patch Tuesday: Googler zero-day fixed in 33 days
ZDnet ZeroDay