Microsoft confronted over inadequate disclosure of weaknesses by Tenable CEO

In a series of events, Tenable, a cybersecurity company, has publicly accused Microsoft of lacking transparency in handling vulnerability disclosure. Tenable's Chief Security Officer, Bob Huber, claimed that communication with Microsoft's Security Response Team was poor throughout the process.

The current Follina vulnerability, first reported by cybersecurity researcher Marcus Hutchins in May 2022, is the latest in this pattern. Tenable discovered two vulnerabilities in Microsoft's Azure Synapse service in March, one of which was considered critical. Microsoft was initially notified of the Follina vulnerability months earlier, but allegedly patched one of the vulnerabilities quietly and downplayed the risk to users.

Tenable's CEO, Amit Yoran, has accused Microsoft of this being part of an ongoing pattern of lack of transparency. Yoran's claims are supported by other security research from Orca Security, Wiz, Positive Technologies, and Fortinet, according to Yoran's LinkedIn blog.

Microsoft President Brad Smith has previously called out many leading technology companies for lack of robust disclosure following the SolarWinds supply chain attack. However, in this case, Microsoft has not yet notified customers about the patched vulnerability, according to Yoran.

Erik Nost, senior analyst at Forrester, has raised questions about the shared responsibility model in cloud, specifically concerning when cloud providers should inform customers of critical issues. Nost's concerns center around the confusion for customers about what they need to maintain and the potential vulnerability duration.

The 90-day window for discussing the vulnerability publicly expired during the RSA Conference. Tenable follows Microsoft's 90-day disclosure policy on vulnerability reporting, but Yoran accused Microsoft of not adhering to this policy in the case of the Follina vulnerability.

Microsoft actively notified customers following the attacks and encouraged them to move their on-premises business into the cloud. However, the current controversy raises questions about the company's commitment to transparency and the security of its services.

These allegations highlight the importance of clear and timely communication between technology companies and their customers when it comes to vulnerability disclosure. As the use of cloud services continues to grow, it is crucial that both providers and customers understand their roles and responsibilities in maintaining security.