Working with Security Researchers
When a security researcher (either an individual or organization) is acknowledged in one of Microsoft’s monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately. The security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations.
During the technical investigation and development of the update, the vulnerability reporter is continually kept apprised of the availability of the impending update.
This helps to minimize the threat and impact to customers everywhere by helping to ensure that Microsoft can fix the problem, ideally before widespread attacks occur.
Security researchers who report vulnerabilities to Microsoft live and work all over the world. Consequently, security-related conferences and events are held all over the world.
The MSRC sponsors and attends many of these conferences and events. Engaging in the security community by supporting worldwide events helps Microsoft learn about the new areas of focus and industry trends within the security community; tools and techniques; and related cultural and philosophical elements that affect the security landscape.
Global Conference Engagement
Security-related conferences are a platform for technical information exchange, for new research and relationships to be developed, and for greater understanding of regional trends and research. The MSRC has engaged the security community by cosponsoring or attending more than 60 security conferences worldwide since 2005.
While there are many more security conferences held around the world, and as much as Microsoft would like to have a presence at every security conference, the MSRC participates only in those security conferences wherein there is strict adherence to coordinated vulnerability disclosure.
The following chart shows coordinated vulnerability disclosures in Microsoft software received by the MSRC in each half-year period since the first half of 2005, as a percentage of all disclosures. The coordinated vulnerability disclosure percentage for the whole of 2009 was higher than any other year. The last five periods have each had rates above 70 percent—an encouraging sign following significantly lower rates in previous periods.
Engaging with the security community directly and proactively addressing security issues results in the majority of issues being responsibly reported.