Skip to main content
Rate:  

Becoming a Member of MAPP

A: MAPP, which stands for the Microsoft Active Protections Program, is run by the Microsoft Security Response Center (MSRC). The program gives partnering security software providers early access to security vulnerability information in advance of Microsoft’s monthly security update. Early access to this information helps MAPP partners more quickly and effectively integrate protections into their security software or hardware products (such as antivirus software, network-based intrusion detection systems, or host-based intrusion prevention systems).

A: Microsoft is committed to continuous improvement to help customers manage risk and protect themselves. By sharing vulnerability information prior to the public release of security updates, MAPP enables security software providers who operate at the application and network layers to offer protection to our mutual customers in a timely manner. Without this program, security software providers would have to wait until the public release of a security bulletin before developing protections.

 

A: MAPP consists of the following key sub programs.

  • MAPP for Security Vendors – A service that provides early access to vulnerability data with three different sharing levels for qualified partners: MAPP Validate, MAPP ANS, and MAPP Entry-Level.
  • MAPP for Responders – A new service that fosters the exchange of attack detection information between Microsoft and incident response partners.
  • MAPP Scanner – A service that scans Microsoft Office documents, Adobe PDF files, URLs, and executables for potential threats.
 

A: MAPP for Security Vendors represents the core of the program that has been in place since 2008 and adds to that even earlier information sharing for qualified partners designed to help protect customers through providing early access to detection data for the upcoming security release, with a requirement for partners to create and deploy signatures within their products. There are three tiers in the MAPP program.

  • MAPP Entry
  • MAPP ANS
  • MAPP Validate
 

A: Much like the Microsoft Security Update Validation Program (SUVP), MAPP Validation provides qualified partners with the ability to test MAPP detection guidance. This community-based approach to validating detection information improves the quality of guidance. MAPP Validate is an invite only program that has finite membership and strict participation criteria.

 

A: MAPP ANS (Advance Notification Service) is a is the second tier MAPP for Security Vendors program. It makes MAPP data available to qualified partners on ANS Thursday, five days before the Microsoft Monthly Update. While this program is open to all security vendors, it is criteria based on program participation, length of time in the MAPP program, and a requirement to be in an information sharing program with Microsoft. Information sharing is covered in the section below.

 

A: Entry level MAPP is the traditional MAPP offering, which makes MAPP data available to qualified partners 24 hours before the Microsoft Monthly Update. All new partner organizations start in the MAPP Entry level tier.

 

A: Since Microsoft provides detection guidance for vulnerabilities prior to being released on update Tuesday, there is a level of risk being taken. Therefore, we must ensure that MAPP partners are able and willing to show reward commensurate with that risk through the protection of customers. How does this occur? Microsoft will provide two sets of detection guidance 24-hours prior to update Tuesday release, one will include Microsoft products (MAPP) and one will include Adobe products. The package will also include a report listing the CVE’s included and whether signature creation is required or optional. For the required CVE’s, the partner is required to create the signatures and integrate them into their detection products in conjunction with update Tuesday. Normally, the required CVE’s total 3-6 signatures for each product (MAPP and Adobe).

The partner is required to provide reporting on both releases at 10-days after release for signature creation and 30-days after release for any telemetry detections against those signatures. Meeting the requirements for signature creation for both MAPP and Adobe, and meeting all reporting requirements is mandatory for MAPP enrollment.

We currently do not support passive detection products, nor do we support behavioral or pattern based detections.

 

A: As a first step, send a detailed email message to secure@microsoft.com. Someone from the MSRC will follow up with you regarding your information. All submissions should be submitted using the MSRC public PGP key located at https://technet.microsoft.com/en-us/security/dn606155.aspx.

 

A: Please send any MAPP-related issues or questions to MAPP@microsoft.com. General security escalations and questions not specific to MAPP programs should be sent to secure@microsoft.com. When sending or receiving MAPP detection guidance, the MAPP PGP key will be used. It is located at https://technet.microsoft.com/en-us/mt774618.

 

A: In the MAPP context, “active software security protections” are mechanisms that can detect intrusions into a Microsoft system, or defend a Microsoft system from exploitation attempts, absent the availability of a Microsoft security update for the issue being exploited. For example, antivirus definitions that trigger off of malicious behavior, or IDS signatures that block exploitation attempts, are considered active software security protections.

 

A: No. MAPP requires that its members actively create signatures or similar threat remediation for their products in-house. MAPP participants are expected to directly use the data provided to them via the program to develop protections internally.

 

A: Yes, MAPP is a public program. If you are accepted as a participant, you may market yourself as a MAPP partner. The aspects of the program that are confidential are those that pertain to operations and the data that is provided. All confidential information is subject to the Microsoft Non-Disclosure Agreement.

 

A: As a first step, complete the Microsoft Active Protections Program Criteria questionnaire. If your answers meet MAPP qualification requirements, then download and complete the MAPP Active Protections Form and send it to MAPP@microsoft.com.

 

A: We have a new program called MAPP for Responders that will be launching very soon that may better suit your needs. If this becomes the case, we can get you in contact with the manager handling that program.

 

A: MAPPE partners that do not achieve minimum program objectives are subject to suspension and potential expulsion from the program.

 

A: Microsoft is committed to minimizing risks to customers, and the eligibility criteria are necessary for targeting protections that cover broad groups of customers. Microsoft will continue to evaluate and update the criteria as appropriate.

MAPP Deliverables and Information Sharing

 

A: MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases. This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or repro tools to further illuminate the issue and help with additional protection enhancement, as long as this information enables software security providers to provide timely and enhanced protections for our mutual customers.

Within the next few months, Microsoft is moving to an automated model for information dissemination and collection. Once implemented, all MAPP partners will receive information via an API or direct download from an established portal. All partners will also have access to a Clean File Metadata Feed (CFMD) that will help prevent false positives in detections.

Microsoft is also promoting information exchange as a part of the program. This is not a requirement of MAPP membership, but an opportunity to gain greater access to threat data. This program is a sharing program and therefore partners will be required to share data back to Microsoft. Information that is currently being shared includes:

Microsoft Shares:

  • Traditional Detection Guidance
  • Malicious URLs
  • Windows File Hashes
  • Threat Indicators (against active attacks on MS based systems)
  • Exploit Indicators
  • Other information
 
  • File Hashes
  • IP Addresses
  • File Names Associated with Known Attacks
  • Detonation Data
    • Pop to URL
    • Pop to IP
    • What the file does
    • Other related meta data
  • Email Related
    • Known bad email attachments and/or hashes for those attachments
    • Sender information
    • Subject lines
    • Sending IP addresses
  • Indicators of Compromise (all types)

A: Finally, MAPP partners have access to MAPP Scanner, a web based detonation chamber based on a set of heuristics that detects malicious behaviors and provides the user with a report of any exploits found. Through an instrumented virtualized environment, we simulate a user’s PC and then observe what a file or executable does, not just what it looks like. Through this behavioral heuristic method we are able to find malware that traditional AV systems can’t, and then use the analytics to understand an attacker’s approach and update other protection services. More information will be provided if the organization is accepted as a member.

 

Featured Video

Microsoft Security Response Center’s Jerry Bryant takes you inside the Microsoft Active Protections Program, or MAPP for short. Learn more about how Microsoft and its partners come together to protect customers

MAPP Resources

MAPP PGP key

MAPP Detection Guidance Feedback Form

If you would like to provide feedback on detection guidance for a specific CVE,download and complete the MAPP Detection Guidance Feedback Form, and then send it to mapp@microsoft.com

MSRC Blogs