Microsoft Active Protections Program Frequently Asked Questions (FAQ)

A: The Microsoft Active Protections Program (MAPP) is a new program for software security providers.

Members of MAPP receive security vulnerability information from the Microsoft Security Response Center (MSRC) in advance of Microsoft’s monthly security update.

When you receive vulnerability information early, you can provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems.

Microsoft continues to recommend that customers deploy security updates to help prevent the exploitation of vulnerabilities.

A: The program is open for enrollment now. Send an e-mail message to MAPP at mapp@microsoft.com to find out more.

A: Because of the sensitive nature of the information shared through MAPP, Microsoft has defined objective and measureable eligibility criteria for participants in MAPP. MAPP members must:

• Execute a Non-Disclosure Agreement (NDA) with Microsoft.
• Create active application-based or network-based protections commercially for Microsoft products. (Active protections are software security measures that that detect or defer intrusions into a Microsoft system or defend a Microsoft system from exploitation.)
• Serve a significant Microsoft customer base of 10,000 users or more.
• Not be a primary seller of a commercial products used to attack or weaken the security of networks or applications.
• Adhere to and practice some form of responsible disclosure.
• Agree to publish monthly protections only on the date of bulletin release, and not before.
• Not use program data directly in any product. (Copying and pasting program data is prohibited.)
• Agree to be featured as a member of the program in promotional materials about the program.

Note: Microsoft solely retains any and all discretion as to whether a particular entity meets the criteria, and if so, whether a participant may stay in the program.

A: Microsoft is committed to minimizing risks to customers, and the eligibility criteria above is necessary for targeting protections that cover broad groups of customers. As the program continues, Microsoft will continue to evaluate and update the criteria appropriately.

A: Active software security protections can detect or defer intrusions into a Microsoft system or defend a Microsoft system from exploitation attempts, without the availability of a Microsoft security update for the issue being exploited (for example, antivirus definitions that trigger malicious behavior or IDS signatures that block exploitation attempts).

A: You will receive advance vulnerability information for those vulnerabilities to be addressed in Microsoft’s regularly scheduled monthly security update release. This information package will provide documents that outline our information on the vulnerability. These documents outline the steps used to reproduce the vulnerability as well as the steps used to detect the issue.

At times, Microsoft might also provide a binary that further illuminates the issue and helps with additional protection enhancement. The binary would be the digital programmatic representation of the steps to take to prevent damage from the vulnerability. Providing this information enables software security providers to provide timely and enhanced protections for our mutual customers.

A: The MSRC is committed to continuous improvement to help customers manage risk and protect themselves.

By sharing vulnerability information prior to the public release of a security update, Microsoft enables security software providers who operate at the application and network layer to offer protection to our mutual customers in a timely manner.

Without this program, security software providers would have to wait until the public release of the security bulletin to deploy protections.

A: Before Microsoft announced MAPP, security software providers received updated information when Microsoft publicly released it in its regularly scheduled monthly bulletin release.

With MAPP, Microsoft releases vulnerability reproduction code along with bulletin details to partners in advance of the public release, giving them time to test and deploy updates.

A: Yes, this is a public program. If you are accepted as a participant, you may market yourself as a MAPP member. The aspects of the program that are confidential are those that pertain to operations and the data that is provided. All confidential information is subject to the Microsoft Non-Disclosure Agreement.

A: Please send program inquiries and application requests to mapp@microsoft.com.