Microsoft published the policy today -- something it had not done last year -- and asked that others in the security community "embrace the purpose of this shift, which is ultimately about minimizing customer risk, not amplifying it."
Today's advisories are a demonstration of that policy in action, said Reavey, who also acknowledged that future advisories will address complaints that critics had aired about CVD.
"One thing we hear from 'full disclosure' [proponents' is that customers can be put at risk with CVD," he said, talking about the opposing philosophy by some researchers, who believe in making vulnerabilities public to push vendors' patching pace. Advisories that Microsoft issues down the road about bugs that lack a patch are an attempt to answer those critics.
Microsoft also made public a policy that's been in place since November 2010 that requires all employees to follow the CVD guidelines, and report bugs in third-party products to the MSVR program. The new rules for internal researchers applies whether they found the flaws on company time, or their own, said Reavey.
When asked whether Microsoft expects others to follow its lead -- some Google security engineers, for instance, have released information about Windows bugs before Microsoft had patches ready -- Reavey didn't answer directly.
"In general, this is the shift we would like to see the industry move toward," he said.
Sign up for Computerworld eNewsletters.