"I was very interested in that question. And one of the places that I focused on was the MSRC, which is short for Microsoft Security Response Center. This center is like a clearing house for reports of security bugs, and it was Harris' very first stop when he began warning colleagues of the flaw that he discovered. But the issue is that the center itself was understaffed and underresourced. And one employee who used to work there told me that staff is trained to think of cases in terms of how can I get to won't fix. So this center also clashed with the product teams."
I used to work for the MSRC. He's right that it was understaffed and underresourced. It's one of the reasons I quit, same for many of my ex-colleagues. But I disagree with his characterization of us trying to find any way to get cases to Won't Fix. The fact is, we got many, many reports that were genuinely not vulns, and therefore shouldn't be prioritized for fixing from a security standpoint. Yes, occasionally reports may be incorrectly analyzed but that's not because we were trying to get them to Won't Fix. It's just people making mistakes now and then.
"And, you know, another big issue there is that they're clashing with the product teams that they need to fix the actual issues. So they would bring a security vulnerability to a product group. They'd say, you need to fix this flaw. But those groups were often unmotivated to act fast, if at all, because compensation is tied to the release of new products and features."
That's true in part, but it varies wildly between product teams. Some were incredibly responsive and knowledgeable, some were clueless about security, some just didn't prioritize it.
Sometimes the fix was insufficient. When I was there, MSRC wouldn't check if the fix did what it was supposed to do, except in occasional cases where we were explicitly asked to check or if it was a particularly risky case that needed the extra scrutiny. But like he says, we were understaffed and underresourced, we simply didn't have the time to do this for every case.
I used to work for the MSRC. He's right that it was understaffed and underresourced. It's one of the reasons I quit, same for many of my ex-colleagues. But I disagree with his characterization of us trying to find any way to get cases to Won't Fix. The fact is, we got many, many reports that were genuinely not vulns, and therefore shouldn't be prioritized for fixing from a security standpoint. Yes, occasionally reports may be incorrectly analyzed but that's not because we were trying to get them to Won't Fix. It's just people making mistakes now and then.
"And, you know, another big issue there is that they're clashing with the product teams that they need to fix the actual issues. So they would bring a security vulnerability to a product group. They'd say, you need to fix this flaw. But those groups were often unmotivated to act fast, if at all, because compensation is tied to the release of new products and features."
That's true in part, but it varies wildly between product teams. Some were incredibly responsive and knowledgeable, some were clueless about security, some just didn't prioritize it.
Sometimes the fix was insufficient. When I was there, MSRC wouldn't check if the fix did what it was supposed to do, except in occasional cases where we were explicitly asked to check or if it was a particularly risky case that needed the extra scrutiny. But like he says, we were understaffed and underresourced, we simply didn't have the time to do this for every case.