Security researchers are free to investigate Microsoft's online services for security bugs, without fear of prosecution - as long as they submit the bugs they find "responsibly" to Microsoft, the company said this week.

What's more, this policy has been in place at least since July of 2007, Microsoft said, although it appears to be news to most researchers.

The immunity from prosecution for such research is a significant issue, as even legitimate security researchers are in danger of prosecution if they report flaws they've found on third-party online services.

However, Microsoft said this week it wants to encourage legitimate researchers to carry out their work, and is willing to stand by its policy of not suing them, as long as disclosure is carried out in a way that doesn't pose a danger to users.

"Because we will not pursue legal action against researchers who report vulnerabilities to us responsibly, we hope to encourage those who want to help us protect customers to feel free to do so without fear of repercussions," said Microsoft security response communication manager Bill Sisk, in a statement provided to journalists. "As we have done for many years, we continue to work closely with security researchers and encourage responsible disclosure of vulnerabilities in our products as well as for online services."

Sisk pointed to a company Web site - part of the Microsoft Security Response Center (MSRC) - set up in July 2007 expressly to credit researchers who responsibly disclose bugs in Microsoft online services.

In its FAQ, the site states that "Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities".

Sisk's remarks followed a Saturday talk by Microsoft security strategist Katie Moussouris at ToorCon in Seattle, in which Moussouris reiterated the company's promise not to sue responsible researchers.

According to a report in IT journal The Register, Moussouris said Microsoft is pushing to add a provision to an ISO standard which would protect such "ethical hackers."

Microsoft has long championed "responsible disclosure", a position that has frequently brought it into conflict with researchers who feel that the company is not efficient enough at fixing security flaws.

Whitepapers

• The Trend from UNIX to Linux in SAP(r) Data Centers
• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology

View more SECURITY whitepapers

Webcasts

• The Secure Web Gateway. Mission Critical For Business - Webcast
• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports