Microsoft Institutes Strict New Policy on App Vulnerabilities
Developers have 180 days -- or less, in many cases -- to fix apps before they're pulled.
If it were a Western, Microsoft's new policy on application security would be the equivalent of a stranger walking into a saloon and announcing, "There's a new sheriff in town."
And developers had better heed the lawman, or risk having their apps lynched.
That was the effect of the company's just-released regulation that developers with app vulnerabilities have a maximum of 180 days to fix the problem, or have the program pulled from any of Microsoft's app stores, including the Windows Store, Windows Phone Store, Office Store and Azure Marketplace.
The warning, from the Microsoft Security Response Center, is written in atypically blunt language:
"The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered."
The rules apply not only to third-party apps, but Microsoft-created apps as well. And Microsoft emphasized that 180 days is the latest deadline; apps may be pulled from their respective stores immediately if the vulnerability is serious enough. Redmond "will exercise its discretion on a case-by-case basis," the notice says. Some of the reasons that could result in an app being yanked include issues that "affect multiple developers or are architectural in nature."
Even the six-month timeframe is pushing Microsoft's tolerance, according to the post: "We expect that developers will address all vulnerabilities much faster than 180 days."
The vulnerabilities requiring immediate attention are those rated "Critical" or "Important" in Microsoft's Severity Rating System. The system has four tiers; below those two are "Moderate" and Low". A Critical flaw is one that could allow code execution without the user doing anything. An Important vulnerability, as specified in the system, "could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources."
Dustin Childs, the group manager for response communications for Microsoft Trustworthy Computing, added in his own blog entry announcing the new requirements that if a developer absolutely needs more than 180 days to fix a problem, that the company will work with them on it. The key in such a situation, it would appear, is working in concert with Microsoft.
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.