Microsoft accused of insufficient transparency regarding vulnerabilities by Tenable CEO
In a recent development, questions have been raised about the shared responsibility model in cloud security, particularly concerning when cloud providers should inform customers of critical issues and patches. This debate has been sparked by the ongoing controversy surrounding Microsoft's handling of the Follina vulnerability.
According to reports, Microsoft allegedly patched one of the vulnerabilities quietly without notifying customers about the severity of the problem. This alleged behavior is part of an ongoing pattern with Microsoft, as shown by security research from Orca Security, Wiz, Positive Technologies, and Fortinet.
The Follina vulnerability, discovered by a security researcher, is the latest example in this pattern. Microsoft has offered a workaround but not yet provided a patch, raising questions about its commitment to robust disclosure. Tenable, a cybersecurity company, discovered two vulnerabilities in Microsoft's Azure Synapse service in March, one of which was considered critical.
Microsoft's President Brad Smith publicly called out leading technology companies for insufficient disclosure following the SolarWinds supply chain attack in early 2021. However, the company's actions in handling the Follina vulnerability have drawn criticism from Tenable's CEO, Amit Yoran, who publicly criticised Microsoft for a lack of transparency in handling vulnerability disclosure.
Erik Nost, senior analyst at Forrester, has raised concerns about the situation, questioning whether some customers may want to know if they were vulnerable and for how long. The ongoing debate surrounding Microsoft's handling of the Follina vulnerability raises questions about transparency in vulnerability disclosure.
Communication with Microsoft's Security Response Team was reportedly poor during the process of disclosing the vulnerabilities. Tenable, following Microsoft's 90-day disclosure policy on vulnerability reporting, is required to wait for 90 days from the time they notify Microsoft of a vulnerability before they can discuss it publicly, giving Microsoft time to review the issue, create a patch if necessary, and notify their customers.
As the 90-day window for the Follina vulnerability expired last week during the RSA Conference, the article promises to update when Microsoft responds. It is essential to note that this is not the first time Microsoft has been under scrutiny for its handling of vulnerabilities. The company's actions will undoubtedly influence the broader discussions about the role of cloud providers in informing customers of critical issues and patches.
In conclusion, the Follina vulnerability has highlighted potential issues with the shared responsibility model in cloud security and the importance of transparency in vulnerability disclosure. As the technology landscape continues to evolve, it is crucial for cloud providers to prioritise open communication and robust disclosure policies to ensure the security and trust of their customers.
Read also:
- Understanding Hemorrhagic Gastroenteritis: Key Facts
- Trump's Policies: Tariffs, AI, Surveillance, and Possible Martial Law
- Expanded Community Health Involvement by CK Birla Hospitals, Jaipur, Maintained Through Consistent Outreach Programs Across Rajasthan
- Abdominal Fat Accumulation: Causes and Strategies for Reduction
