“Responsible Disclosure” is dead; long live “Coordinated Vulnerability Disclosure” Microsoft does not mention the critical point: what happens when the vendor takes months or more than a year to fix a flaw? Google’s security team announced their new policy of a 60-day grace period within which software vendors are to provide fixes for critical flaws. Microsoft has not gone along with this idea and makes no mention of such an obligation in its annoucement. The software firm also makes it clear that it does not intend to continue to call everyone who does not support Microsoft’s interpretation of “responsible disclosure””]

