Security Ecosystem Collaboration

Microsoft partners with many other parties when we investigate potential vulnerabilities in Microsoft software. Microsoft looks to mitigate exploitation of vulnerabilities through the collaborative strength of the following:

• Industry
• Partners
• Public organizations
• Customers
• Security researchers.

Practicing Responsible Disclosure

Microsoft supports and encourages reasonable or responsible disclosure of vulnerabilities.

Responsible disclosure means disclosing vulnerabilities privately to an affected vendor so that the vendor can develop a comprehensive security update to address the vulnerability before the vulnerability details are public.

Ideally, with responsible disclosure, the release of the security update coincides with vulnerability information becoming publicly available. This ensures that users are not exposed to malicious exploitation while security updates are being developed.

Working with Security Researchers

When a security researcher is acknowledged in one of Microsoft’s monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately. The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations.

During the technical investigation and development of the update, the vulnerability reporter is continually apprised and updated about the availability of the impending update.

This helps to minimize the threat and impact to customers everywhere by helping to ensure that Microsoft can fix the problem before potential attackers are aware of the vulnerability or can leverage it for malicious use.

Working Worldwide

Security researchers who report vulnerabilities to Microsoft live and work all over the world. Consequently, security-related conferences and events are held all over the world.

The MSRC sponsors and attends many of these conferences and events. Engaging in the security community by supporting worldwide events helps Microsoft learn about the new areas of focus and industry trends within the security community, tools and techniques, and related cultural and philosophical elements that affect the security landscape.

Global Conference Engagement

Security-related conferences are a platform for technical information exchange, for new research and relationships to be developed, and for greater understanding of regional trends and research. Attending these events helps the MSRC provide timely and accurate information that helps better protect customers.

The MSRC alone engages the security community by co-sponsoring or attending as many as 60 security conferences worldwide.

Download the Global Conference Engagement map: PDF | XPS

While there are many more security conferences held around the world, and as much as Microsoft would like to have a presence at every security conference, the MSRC participates only in those security conferences wherein there is strict adherence to responsible disclosure.

This responsible disclosure helps to keep users safer by preventing potential attackers from learning about newly discovered vulnerabilities before security updates are available.

The following chart shows responsible disclosures of vulnerabilities in Microsoft software received by the Microsoft Security Response Center (MSRC) in each half-year period since 1H05, as a percentage of all disclosures.

The responsible disclosure percentage for the whole of 2008 was higher than that of the previous year. The last three periods have each had responsible disclosure rates above 70 percent—an encouraging sign following significantly lower rates in previous periods.

Engaging with the security community directly, and proactively addressing security issues, results in the majority of issues being responsibly reported.