Patch Tuesday, Microsoft’s monthly cycle of providing security related updates to users of various Microsoft software programs, is a perfect day to talk about policies that are related to security.
Today that policy directly impacts programs or apps that are published in the Windows Store, Windows Phone Store, Office Store and the Azure Marketplace.
This is also not the first Patch Tuesday where Microsoft has talked about app security. Back in March they published their commitment to transparency and regular security updates for the Modern Apps built into Windows 8.
In today’s newly established policy the focus is on apps and programs created by third party developers.
The policy, which is effective immediately, requires developers to fix security vulnerabilities in their apps and enables Microsoft to remove an app from sale if the developer does not provide an effective fix. The requirement applies to all apps available in the online stores, including Microsoft apps.
Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.
We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline. However, Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft’s discretion. This policy does not modify existing developer agreements and Microsoft may remove apps for other reasons according to those agreements.