Microsoft Vulnerability Research (MSVR) is a program specifically designed to help improve the security ecosystem as a whole. Our goal is to share our collective experience in dealing with security vulnerabilities with the greater security community and by doing so foster positive change.

Evangelizing Secure Development Lifecycle (SDL) Concepts

By leveraging a security assurance process like the Microsoft SDL, software developers can improve their own internal processes, which will lead to fewer software vulnerabilities.

Working with External Parties

Vulnerabilities in third party products come to MSVR in three different ways:

• Internal Microsoft developers and test engineers: In the course of their day to day jobs, developers and test engineers find potential vulnerabilities in third party software. The internal process is that those vulnerabilities are reported to the MSVR team. MSVR then works with the affected vendor to fix the issue.
• External reports to Microsoft Security Response Center (MSRC): On occasion an external researcher will report an issue that they feel affects a Microsoft product but either affects a third party product of affects both the Microsoft product as well as external parties. These issues are coordinated by MSVR. The ATL issue from last year is a great example of this scenario.
• Internal research projects: As time and resources permit, MSVR performs its own vulnerability analysis and research on products that run on Microsoft operating systems but are not developed by Microsoft. This is accomplished by using internal toolsets. Any issues identified are reported to the affected vendor under accepted coordinated vulnerability disclosure practices.

MSVR Advisories

Beginning in April 2011 the MSVR program began issuing MSVR Advisories detailing software vulnerabilities that Microsoft had privately disclosed to third-party vendors. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the MSVR program unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, without revealing details with which attackers can use to commit cybercrime.

This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach to vulnerability disclosure. CVD clarifies how Microsoft responds as a vendor impacted by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.

MSVR Advisories are posted at http://www.microsoft.com/technet/security/advisory/MSVRarchive.mspx.

Read more about Coordinated Vulnerability Disclosure.

To contact MSVR, send an email message to [email protected].