Microsoft Vulnerability Research (MSVR)

Microsoft Vulnerability Research (MSVR) is a program specifically designed to help improve the security ecosystem as a whole through the sharing of knowledge and best practices. Microsoft’s goal is to share our collective experience in dealing with security vulnerabilities with the greater security community to foster positive change. By leveraging a security assurance process like the Microsoft Software Development Lifecycle, software developers can improve their own internal processes, which will lead to fewer software vulnerabilities.

MSVR learns about vulnerabilities in third-party products in three ways:

• Internal Microsoft developers and test engineers: In the course of their regular work, developers and test engineers find potential vulnerabilities in third-party software. These vulnerabilities are reported to the MSVR team, which then works with the affected vendor to fix the issue.
• External reports to the Microsoft Security Response Center (MSRC): On occasion an external researcher will report an issue that they believe affects a Microsoft product but that either affects a third-party product of affects both the Microsoft product and external parties. These issues are coordinated by MSVR.
• Internal research projects: As time and resources permit, MSVR performs its own vulnerability analysis and research on products that run on Microsoft operating systems but that are not developed by Microsoft. Any issues are reported to the affected vendor under accepted Coordinated Vulnerability Disclosure practices.

MSVR Advisories

In April 2011 the MSVR program began issuing MSVR Advisories to provide details about software vulnerabilities that Microsoft had privately disclosed to third-party vendors. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the MSVR program unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate with the vendor to release consistent mitigation and workaround guidance. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, and helps prevent the release of details that attackers can use to commit cybercrime.

This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach. CVD clarifies how Microsoft responds as a vendor affected by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.

MSVR Advisories are posted at https://technet.microsoft.com/security/msvr/.

To contact MSVR, send an email message to msvr@microsoft.com.