|

Microsoft has defined objective, measurable, and tailored membership criteria for prospective participants. The criteria is designed to ensure that Microsoft is able to work with security providers to protect a broad range of customers. We will evaluate the criteria continuously, based on customer and partner feedback, to determine if it needs to be refined.

MAPP has open enrollment for security providers. Please find below the initial selection criteria to apply for membership in MAPP.

Microsoft reserves the right to make membership decisions in its sole discretion. All questions about membership applications should be sent to: mapp@microsoft.com.

Criteria:

  • You are willing to sign a Non-Disclosure Agreement with Microsoft?
  • You adhere to and practice some form of coordinated vulnerability disclosure?
  • You are willing to have your company name and URL displayed on our MAPP website?
  • You are willing to exchange threat information with Microsoft and/or actively create updated protections on a regular basis based upon the data provided by Microsoft through MAPP?
  • You are able to send and receive data via an API upon acceptance into the program?
  • You provide commercially available products or services that either actively protect Microsoft customers (either in the cloud or on premises), detect threats, or generate actionable threat intelligence?
  • You do not sell or create products used to attack or weaken the security posture of networks or applications? For example, penetrating testing tools or exploit framework.

MAPP, which stands for the Microsoft Active Protections Program, is run by the Microsoft Security Response Center (MSRC). The program gives partnering security software providers early access to security vulnerability information in advance of Microsoft’s monthly security update. Early access to this information helps MAPP partners more quickly and effectively integrate protections into their security software or hardware products (such as antivirus software, network-based intrusion detection systems, or host-based intrusion prevention systems).

Microsoft is committed to continuous improvement to help customers manage risk and protect themselves. By sharing vulnerability information prior to the public release of security updates, MAPP enables security software providers who operate at the application and network layers to offer protection to our mutual customers in a timely manner. Without this program, security software providers would have to wait until the public release of a security bulletin before developing protections.

MAPP for Security Vendors represents the core of the program that has been in place since 2008 and adds to that even earlier information sharing for qualified partners designed to help protect customers through providing early access to detection data for the upcoming security release, with a requirement for partners to create and deploy signatures within their products. There are three tiers in the MAPP: MAPP Entry, MAPP ANS, and MAPP Validate.

Much like the Microsoft Security Update Validation Program (SUVP), MAPP Validation provides qualified partners with the ability to test MAPP detection guidance. This community-based approach to validating detection information improves the quality of guidance. MAPP Validate is an invite only program that has finite membership and strict participation criteria.

MAPP ANS (Advance Notification Service) is the second tier of the MAPP for Security Vendors program. It makes MAPP data available to qualified partners on five days before the Microsoft Monthly Update Cycle. While this program is open to all security vendors, it is criteria based on program participation, length of time in the MAPP program, and a requirement to be in an information sharing program with Microsoft. Information sharing is covered in the section below.

Entry level MAPP is the traditional MAPP offering, which makes MAPP data available to qualified partners 24 hours before the Microsoft Monthly Update Cycle. All new partner organizations start in the MAPP Entry level tier.

Since Microsoft provides detection guidance for vulnerabilities prior to being released on update Tuesday, there is a level of risk being taken. Therefore, we must ensure that MAPP partners are able and willing to show reward commensurate with that risk through the protection of customers. How does this occur? Microsoft will provide two sets of detection guidance 24-hours prior to update Tuesday release, one will include Microsoft products (MAPP) and one will include Adobe products. The package will also include a report listing the CVE’s included and whether signature creation is required or optional. For the required CVE’s, the partner is required to create the signatures and integrate them into their detection products in conjunction with update Tuesday. Normally, the required CVE’s total 3-6 signatures for each product (MAPP and Adobe).
 
The partner is required to provide reporting on both releases at 10-days after release for signature creation and 30-days after release for any telemetry detections against those signatures. Meeting the requirements for signature creation for both MAPP and Adobe, and meeting all reporting requirements is mandatory for MAPP enrollment.
 
We currently do not support passive detection products, but MAPP for Responders may be an option.

The best way to submit a vulnerability to the MSRC is through the Researcher Portal. An alternative is to send the vulnerability to the MSRC through secure@microsoft.com

Please send any MAPP-related issues or questions to MAPP@microsoft.com. General security escalations and questions not specific to MAPP programs should be sent to secure@microsoft.com. 

You can locate the MAPP PGP Key here.

You can locate the GSPSUP PGP key here.

In the MAPP context, “active software security protections” are mechanisms that can detect intrusions into a Microsoft system, or defend a Microsoft system from exploitation attempts, absent the availability of a Microsoft security update for the issue being exploited. For example, antivirus definitions that trigger off of malicious behavior, or IDS signatures that block exploitation attempts, are considered active software security protections.

No. MAPP requires that its members actively create signatures or similar threat remediation for their products in-house. MAPP participants are expected to directly use the data provided to them via the program to develop protections internally.

Yes, MAPP is a public program. If you are accepted as a participant, you may market yourself as a MAPP partner and we will list your organization on our website. The aspects of the program that are confidential are those that pertain to operations and the data that is provided. All confidential information is subject to the Microsoft Non-Disclosure Agreement and a MAPP Agreement.

If you meet MAPP qualification requirements, you can submite your application on the MAPP Portal.

We have a new program called MAPP for Responders that will be launching very soon that may better suit your needs. If this becomes the case, we can work with you to see if this is a good fit..

MAPP partners that do not achieve minimum program objectives are subject to suspension and potential expulsion from the program.

You can reach out to us directly at MAPP@microsoft.com.

Microsoft is committed to minimizing risks to customers, and the eligibility criteria are necessary for targeting protections that cover broad groups of customers. Microsoft will continue to evaluate and update the criteria as appropriate.

MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases. This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or repro tools to further illuminate the issue and help with additional protection enhancement, as long as this information enables software security providers to provide timely and enhanced protections for our mutual customers without putting said customers at an increased risk. All MAPP partners receive information via an API or direct download from an established portal. All partners also have access to a Clean File Metadata Feed (CFMD) that will help prevent false positives in detections and our Bing Malicious URL feed.
 
Microsoft is also promoting information exchange as a part of the program. This is not a requirement of MAPP membership, but an opportunity to gain greater access to threat data. This program is a sharing program and therefore partners will be required to share data back to Microsoft.
 
Information that is currently being shared includes:
  • Traditional Detection Guidance
  • Malicious URLs
  • Windows File Hashes
  • Threat Indicators (against active attacks on MS based systems)
  • Exploit Indicators
  • Other information

Microsoft believes in equitable sharing of security information. There is no one formula for what can be shared, but the data should generally help raise awareness of possible threats in the ecosystem. Some examples of shared data are: File Hashes, Malicious IP Addresses, File Names Associated with Known Attacks, Detonation Data, Indicators of Compromise (all types).