Additional information and commentary from Ms. Smith’s blog on Network World
MSFT to developers: Fix Windows app security flaws in 180 days or be kicked from stores
App developers have no more than 180 days to fix security flaws or Microsoft will kick the vulnerable app from the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. Microsoft’s new security policy for apps states:
Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.
Microsoft new security policy for appsMicrosoft will apply the same policy to its own software. “I’ve never seen a vendor state that they’d pull their own applications, so that deserves kudos,” said Tyler Reguly, the manager of security research at Tripwire.
Microsoft Security Response Center (MSRC) expects that developers will patch vulnerabilities faster than the allotted 180 days, adding that “no apps have come close to exceeding this deadline.”