Becoming a Member of MAPP
Q: What is MAPP?
A: MAPP, which stands for the Microsoft Active Protections Program, is run by the Microsoft Security Response Center (MSRC). The program gives partnering security software providers early access to security vulnerability information in advance of Microsoft’s monthly security update. Early access to this information helps MAPP partners more quickly and effectively integrate protections into their security software or hardware products (such as antivirus software, network-based intrusion detection systems, or host-based intrusion prevention systems).
A: Microsoft is committed to continuous improvement to help customers manage risk and protect themselves. By sharing vulnerability information prior to the public release of security updates, MAPP enables security software providers who operate at the application and network layers to offer protection to our mutual customers in a timely manner. Without this program, security software providers would have to wait until the public release of a security bulletin before developing protections.
Q: What key services does MAPP provide?
A: MAPP consists of the following key sub programs.
Q: What is MAPP for Security Vendors?
A: MAPP for Security Vendors represents the core of the program that has been in place since 2008 and adds to that even earlier information sharing for qualified partners designed to help protect customers through providing early access to detection data for the upcoming security release, with a requirement for partners to create and deploy signatures within their products. There are three tiers in the MAPP program.
Q: What is MAPP Validate?
A: Much like the Microsoft Security Update Validation Program (SUVP), MAPP Validation provides qualified partners with the ability to test MAPP detection guidance. This community-based approach to validating detection information improves the quality of guidance. MAPP Validate is an invite only program that has finite membership and strict participation criteria.
Q: What is MAPP ANS?
A: MAPP ANS (Advance Notification Service) is a is the second tier MAPP for Security Vendors program. It makes MAPP data available to qualified partners on ANS Thursday, five days before the Microsoft Monthly Update. While this program is open to all security vendors, it is criteria based on program participation, length of time in the MAPP program, and a requirement to be in an information sharing program with Microsoft. Information sharing is covered in the section below.
Q: What is MAPP Entry-Level?
A: Entry level MAPP is the traditional MAPP offering, which makes MAPP data available to qualified partners 24 hours before the Microsoft Monthly Update. All new partner organizations start in the MAPP Entry level tier.
Q: What are the requirements to join MAPP?
A: Since Microsoft provides detection guidance for vulnerabilities prior to being released on update Tuesday, there is a level of risk being taken. Therefore, we must ensure that MAPP partners are able and willing to show reward commensurate with that risk through the protection of customers. How does this occur? Microsoft will provide two sets of detection guidance 24-hours prior to update Tuesday release, one will include Microsoft products (MAPP) and one will include Adobe products. The package will also include a report listing the CVE’s included and whether signature creation is required or optional. For the required CVE’s, the partner is required to create the signatures and integrate them into their detection products in conjunction with update Tuesday. Normally, the required CVE’s total 3-6 signatures for each product (MAPP and Adobe).
The partner is required to provide reporting on both releases at 10-days after release for signature creation and 30-days after release for any telemetry detections against those signatures. Meeting the requirements for signature creation for both MAPP and Adobe, and meeting all reporting requirements is mandatory for MAPP enrollment.
We currently do not support passive detection products, nor do we support behavioral or pattern based detections.
Q: Where do I submit potential security issues that I find?
A: As a first step, send a detailed email message to firstname.lastname@example.org. Someone from the MSRC will follow up with you regarding your information. All submissions should be submitted using the MSRC public PGP key located at https://technet.microsoft.com/en-us/security/dn606155.aspx.
Q: What types of issues should I send to MAPP@microsoft.com?
A: Please send any MAPP-related issues or questions to MAPP@microsoft.com. General security escalations and questions not specific to MAPP programs should be sent to email@example.com. When sending or receiving MAPP detection guidance, the MAPP PGP key will be used. It is located at https://technet.microsoft.com/en-us/mt774618.
Q: What are "active software security protections”?
A: In the MAPP context, “active software security protections” are mechanisms that can detect intrusions into a Microsoft system, or defend a Microsoft system from exploitation attempts, absent the availability of a Microsoft security update for the issue being exploited. For example, antivirus definitions that trigger off of malicious behavior, or IDS signatures that block exploitation attempts, are considered active software security protections.
Q: If my company develops technology that only uses third-party signatures to provide protections to my clients, can it become a MAPP partner?
A: No. MAPP requires that its members actively create signatures or similar threat remediation for their products in-house. MAPP participants are expected to directly use the data provided to them via the program to develop protections internally.
Q: Will I be able to tell my customers I am part of MAPP?
A: Yes, MAPP is a public program. If you are accepted as a participant, you may market yourself as a MAPP partner. The aspects of the program that are confidential are those that pertain to operations and the data that is provided. All confidential information is subject to the Microsoft Non-Disclosure Agreement.
Q: How do I submit my company for consideration into MAPP?
A: As a first step, complete the Microsoft Active Protections Program Criteria questionnaire. If your answers meet MAPP qualification requirements, then download and complete the MAPP Active Protections Form and send it to MAPP@microsoft.com.
Q: What if my company does not meet the criteria for MAPP for Security vendors, but we still want to get involved in information sharing?
A: We have a new program called MAPP for Responders that will be launching very soon that may better suit your needs. If this becomes the case, we can get you in contact with the manager handling that program.
Q: What happens if we become members and then do not meet the program requirements moving forward?
A: MAPPE partners that do not achieve minimum program objectives are subject to suspension and potential expulsion from the program.
Q: What if we need more information before moving forward?
A: You can reach out to us directly at MAPP@microsoft.com.
Q: Why does Microsoft use these program criteria?
A: Microsoft is committed to minimizing risks to customers, and the eligibility criteria are necessary for targeting protections that cover broad groups of customers. Microsoft will continue to evaluate and update the criteria as appropriate.
MAPP Deliverables and Information Sharing
Q: If accepted as a MAPP partner, what will I receive and what is Microsoft willing to share?
A: MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases. This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or repro tools to further illuminate the issue and help with additional protection enhancement, as long as this information enables software security providers to provide timely and enhanced protections for our mutual customers.
Within the next few months, Microsoft is moving to an automated model for information dissemination and collection. Once implemented, all MAPP partners will receive information via an API or direct download from an established portal. All partners will also have access to a Clean File Metadata Feed (CFMD) that will help prevent false positives in detections.
Microsoft is also promoting information exchange as a part of the program. This is not a requirement of MAPP membership, but an opportunity to gain greater access to threat data. This program is a sharing program and therefore partners will be required to share data back to Microsoft. Information that is currently being shared includes:
Q: What information is requested under information sharing?
A: Finally, MAPP partners have access to MAPP Scanner, a web based detonation chamber based on a set of heuristics that detects malicious behaviors and provides the user with a report of any exploits found. Through an instrumented virtualized environment, we simulate a user’s PC and then observe what a file or executable does, not just what it looks like. Through this behavioral heuristic method we are able to find malware that traditional AV systems can’t, and then use the analytics to understand an attacker’s approach and update other protection services. More information will be provided if the organization is accepted as a member.
Microsoft Security Response Center’s Jerry Bryant takes you inside the Microsoft Active Protections Program, or MAPP for short. Learn more about how Microsoft and its partners come together to protect customers
If you would like to provide feedback on detection guidance for a specific CVE,download and complete the MAPP Detection Guidance Feedback Form, and then send it to firstname.lastname@example.org