Microsoft’s goal is to share our collective experience in dealing with security vulnerabilities with the greater security community to foster positive change. By leveraging a security assurance process like the Microsoft Software Development Lifecycle, software developers can improve their own internal processes, which will lead to fewer software vulnerabilities.

MSVR learns about vulnerabilities in third-party products in three ways:
  1. Internal Microsoft engineers: In the course of their regular work, engineers find potential vulnerabilities in third-party software. These vulnerabilities are reported to the MSVR team, which then works with the affected vendor to fix the issue.
  2. External reports to the Microsoft Security Response Center (MSRC): On occasion an external researcher will report an issue that they believe affects a Microsoft product but that either affects a third-party product of affects both the Microsoft product and external parties. These issues are coordinated by MSVR.
  3. Internal research projects: As time and resources permit, Microsoft performs its own vulnerability analysis and research on products that run on Microsoft operating systems, but that are not developed by Microsoft. Any issues are reported to the affected vendor under accepted Coordinated Vulnerability Disclosure practices.
This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach. CVD clarifies how Microsoft responds as a vendor affected by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.