News

Microsoft Institutes Strict New Policy on App Vulnerabilities

Developers have 180 days -- or less, in many cases -- to fix apps before they're pulled.

If it were a Western, Microsoft's new policy on application security would be the equivalent of a stranger walking into a saloon and announcing, "There's a new sheriff in town."

And developers had better heed the lawman, or risk having their apps lynched.

That was the effect of the company's just-released regulation that developers with app vulnerabilities have a maximum of 180 days to fix the problem, or have the program pulled from any of Microsoft's app stores, including the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.

The warning, from the Microsoft Security Response Center, is written in atypically blunt language:

"The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered."

The rules apply not only to third-party apps, but Microsoft-created apps as well. And Microsoft emphasized that 180 days is the latest deadline; apps may be pulled from their respective stores immediately if the vulnerability is serious enough. Redmond "will exercise its discretion on a case-by-case basis," the notice says. Some of the reasons that could result in an app being yanked include issues that "affect multiple developers or are architectural in nature."

Even the six-month timeframe is pushing Microsoft's tolerance, according to the post: "We expect that developers will address all vulnerabilities much faster than 180 days."

The vulnerabilities requiring immediate attention are those rated "Critical" or "Important" in Microsoft's Severity Rating System. The system has four tiers; below those two are "Moderate" and Low". A Critical flaw is one that could allow code execution without the user doing anything. An Important vulnerability, as specified in the system, "could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources."

Dustin Childs, the group manager for response communications for Microsoft Trustworthy Computing, added in his own blog entry announcing the new requirements that if a developer absolutely needs more than 180 days to fix a problem, that the company will work with them on it. The key in such a situation, it would appear, is working in concert with Microsoft.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus

Featured

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

  • Steve Sanderson Previews AI App Dev: Small Models, Agents and a Blazor Voice Assistant

    Blazor creator Steve Sanderson presented a keynote at the recent NDC London 2025 conference where he previewed the future of .NET application development with smaller AI models and autonomous agents, along with showcasing a new Blazor voice assistant project demonstrating cutting-edge functionality.

Subscribe on YouTube