Microsoft has 'fessed up to hiding details on software vulnerabilities that are discovered internally, insisting that full disclosure of every security-related product change only serves to aid attackers.

The company's admission follows criticisms from a security researcher that its policy of silently fixing software flaws is "misleading" and not in the spirit of Microsoft's push for transparency.

In an interview with eWEEK, Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), said the company's policy is to document the existence of internally discovered flaws as well as the area of functionality where the change occurred, but that full details on the fixes are withheld for a very good reason.

"We want to make sure we don't give attackers any [additional] information that could be used against our customers. There is a balance between providing information to assess risk and giving out information that aids attackers," Reavey said.



Posted by: Ethan    Source