Microsoft Vulnerability Research (MSVR)
Microsoft Vulnerability Research (MSVR) is a program specifically designed to help improve the security ecosystem as a whole through the sharing of knowledge and best practices. Microsoft’s goal is to share our collective experience in dealing with security vulnerabilities with the greater security community to foster positive change. By leveraging a security assurance process like the Microsoft Software Development Lifecycle, software developers can improve their own internal processes, which will lead to fewer software vulnerabilities.
MSVR learns about vulnerabilities in third-party products in three ways:
In April 2011 the MSVR program began issuing MSVR Advisories to provide details about software vulnerabilities that Microsoft had privately disclosed to third-party vendors. Microsoft will never reveal vulnerability details before a vendor-supplied update is available for issues reported though the MSVR program unless there is significant evidence of active attacks in the wild. If attacks begin before the vendor has released their remediation, Microsoft will continue to coordinate with the vendor to release consistent mitigation and workaround guidance. This cooperative approach ensures that affected customers understand their risk and what to do to mitigate that risk, and helps prevent the release of details that attackers can use to commit cybercrime.
This coordination takes place under Microsoft's Coordinated Vulnerability Disclosure (CVD) approach. CVD clarifies how Microsoft responds as a vendor affected by vulnerabilities in its products and services, as a finder of new vulnerabilities in third-party products and services, and as a coordinator of vulnerabilities that affect multiple vendors.