From time to time, the MSRC publishes whitepapers and reports that are designed to bring the community up to date on its activities and research. We will continue to post these downloadable publications as they become available.

BlueHat Prize Contest (August 2011)

MSRC Progress Report 2013 includes:

• Microsoft Active Protections Program (MAPP) changes
• Details on the Microsoft Security Bug Bounty Programs
• Updated Microsoft Security Bulletin statistics
• Enhanced Mitigation Experience Toolkit 4.0
• Behind the scenes with an Internet Explorer zero-day vulnerability

Some highlights showcased in the MSRC report 2013 are:

• During the 12 months ending June 2013, Microsoft released a total of 92 security bulletins to address 246 individual vulnerabilities
• The 92 security bulletins published from July 2012 to June 2013 resulted in 266 Exploitability Index ratings

Coordinated Vulnerability Disclosure (April 2011)

Microsoft has released our formal Coordinated Vulnerability Disclosure (CVD) approach to vulnerability disclosure. This new document clarifies how Microsoft responds as a vendor impacted by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.

Microsoft believes that by privately reporting vulnerabilities to those responsible for fixing them, and allowing the vendor sufficient time to fully test the remediation, we can work cooperatively to help make the Internet safer for everyone. While we encourage other companies and individuals to follow our lead, we understand that there are many disclosure philosophies and practices, and we want to coordinate with anyone who wants to work with us. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues we find, unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, without revealing details with which attackers can use to commit cybercrime. Read more about Coordinated Vulnerability Disclosure.

Microsoft Vulnerability Research Advisories (April 2011)

Beginning in April 2011 the MSVR program began issuing MSVR Advisories detailing software vulnerabilities that Microsoft had privately disclosed to third-party vendors. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the MSVR program unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, without revealing details with which attackers can use to commit cybercrime.

This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach to vulnerability disclosure. CVD clarifies how Microsoft responds as a vendor impacted by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.

MSVR Advisories are posted at http://www.microsoft.com/technet/security/advisory/MSVRarchive.mspx.

To contact MSVR, send an email message to [email protected].