From time to time, the MSRC publishes whitepapers and reports that are designed to bring the community up to date on its activities and research. We will continue to post these downloadable publications as they become available.
BlueHat Prize Contest (August 2011)
On August 3, 2011, Microsoft launched a defensive computer security technology contest, BlueHat Prize, which will award over $250,000 in prizes. The BlueHat Prize contest is designed to inspire the security community and build collaboration among researchers throughout the cyber security industry. The solution considered to be the most innovative runtime mitigation technology by the Microsoft BlueHat Prize board will win the grand prize of US $200,000. All entries must be received, via email to the board, by midnight PST on April 1, 2012. Visit the BlueHat Prize contest website for more information about how to participate or to read contest rules and regulations. | 
|
Microsoft Security Response Center Progress Report (August 2011)
The Microsoft Security Response Center (MSRC) third annual progress report highlights advancements in Microsoft programs that are designed to help prevent and defend against online threats. Programs featured in this paper include:
Some highlights showcased in the report are:
- The Microsoft Active Protections Program (MAPP) attaining 84 security companies worldwide that help provide protections for hundreds of millions of customers every month and the positive reaction to Adobe Systems Inc. participation in this program.
- The revised Exploitability Index rating for security bulletins helping reduce the need to deploy security updates on an urgent basis. Of the 605 Exploitability Index ratings issued from October 2008 to June 2011, only five have been revised and four of those revisions involved a reduction in the Exploitability Index rating.
- The Microsoft Vulnerability Research (MSVR) identified and disclosed in a safe coordinated manner 109 different software vulnerabilities which affected a total of 38 software vendors since July 2010. Read how the software vendors have responded and coordinated on 97 percent of all vulnerabilities reported by MSVR.
- The well received Coordinated Vulnerability Disclosure (CVD) process for Microsoft employees released last year and supporting documentation publication in April 2011.
Coordinated Vulnerability Disclosure (April 2011)
Microsoft has released our formal Coordinated Vulnerability Disclosure (CVD) approach to vulnerability disclosure. This new document clarifies how Microsoft responds as a vendor impacted by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.
Microsoft believes that by privately reporting vulnerabilities to those responsible for fixing them, and allowing the vendor sufficient time to fully test the remediation, we can work cooperatively to help make the Internet safer for everyone. While we encourage other companies and individuals to follow our lead, we understand that there are many disclosure philosophies and practices, and we want to coordinate with anyone who wants to work with us. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues we find, unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, without revealing details with which attackers can use to commit cybercrime. Read more about Coordinated Vulnerability Disclosure. | |
Microsoft Vulnerability Research Advisories (April 2011)
Beginning in April 2011 the MSVR program began issuing MSVR Advisories detailing software vulnerabilities that Microsoft had privately disclosed to third-party vendors. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the MSVR program unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate to release consistent mitigation and workaround guidance with the vendor. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, without revealing details with which attackers can use to commit cybercrime.
This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach to vulnerability disclosure. CVD clarifies how Microsoft responds as a vendor impacted by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.
MSVR Advisories are posted at http://www.microsoft.com/technet/security/advisory/MSVRarchive.mspx.
To contact MSVR, send an email message to msvr@microsoft.com.
