Microsoft Institutes Strict New Policy on App Vulnerabilities

Developers have 180 days -- or less, in many cases -- to fix apps before they're pulled.

If it were a Western, Microsoft's new policy on application security would be the equivalent of a stranger walking into a saloon and announcing, "There's a new sheriff in town."

And developers had better heed the lawman, or risk having their apps lynched.

That was the effect of the company's just-released regulation that developers with app vulnerabilities have a maximum of 180 days to fix the problem, or have the program pulled from any of Microsoft's app stores, including the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.

The warning, from the Microsoft Security Response Center, is written in atypically blunt language:

"The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered."

The rules apply not only to third-party apps, but Microsoft-created apps as well. And Microsoft emphasized that 180 days is the latest deadline; apps may be pulled from their respective stores immediately if the vulnerability is serious enough. Redmond "will exercise its discretion on a case-by-case basis," the notice says. Some of the reasons that could result in an app being yanked include issues that "affect multiple developers or are architectural in nature."

Even the six-month timeframe is pushing Microsoft's tolerance, according to the post: "We expect that developers will address all vulnerabilities much faster than 180 days."

The vulnerabilities requiring immediate attention are those rated "Critical" or "Important" in Microsoft's Severity Rating System. The system has four tiers; below those two are "Moderate" and Low". A Critical flaw is one that could allow code execution without the user doing anything. An Important vulnerability, as specified in the system, "could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources."

Dustin Childs, the group manager for response communications for Microsoft Trustworthy Computing, added in his own blog entry announcing the new requirements that if a developer absolutely needs more than 180 days to fix a problem, that the company will work with them on it. The key in such a situation, it would appear, is working in concert with Microsoft.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.

comments powered by Disqus


  • Microsoft's Lander on Blazor Desktop: 'I Don't See a Grand Unified App Model in the Future'

    For all of the talk of unifying the disparate ecosystem of Microsoft-centric developer tooling -- using one framework for apps of all types on all platforms -- Blazor Desktop is not the answer. There isn't one.

  • Firm Automates Legacy Web Forms-to-ASP.NET Core Conversions

    Migration technology uses the Angular web framework and Progress Kendo UI user interface elements to convert ASP.NET Web Forms client code to HTML and CSS, with application business logic converted automatically to ASP.NET Core.

  • New TypeScript 4.2 Tweaks Include Project Explainer

    Microsoft shipped TypeScript 4.2 -- the regular quarterly update to the open source programming language that improves JavaScript with static types -- with a host of tweaks including a way to explain why files are included in a project.

  • What's Top-Paying .NET Skill, In-Demand Language?

    New tech reports reveal the top-paying .NET skills and most in-demand programming languages in the Microsoft-centric developer landscape.

Upcoming Events