The Security Update Validation Program (SUVP) provides a small number of dedicated, external participants with limited and very controlled access to security updates. The sole purpose of this program is to test for application compatibility, stability, and reliability in simulated production environments.
Microsoft does not provide any specific information about the vulnerabilities themselves to participants. However, if an issue has been publicly disclosed, Microsoft will state that the fix is present in the testing package, but even here, Microsoft does not give any specific details on the vulnerability.
Participants receive the security updates for testing before their release through a private, secure distribution channel. Participants then test these updates under a test plan that is jointly agreed on by Microsoft and the participant. Participants are restricted to deploying the updates only in test environments. In addition, participants must commit to using dedicated teams to provide feedback on an ongoing basis to Microsoft. Deployment of pre-release updates in production environments is contractually prohibited. After the participant has completed their testing, they report the results of their testing back to Microsoft. As SUVP participants their testing, Microsoft then incorporates their feedback into the development of the final security updates. The end result of this program is higher quality updates for customers, which helps ensure timely and effective deployment of updates.
When security updates are publicly released, SUVP participants download and deploy the same updates at the same time as all Microsoft customers.
Participants in the program include customers and partners of Microsoft that represent a broad spectrum of backgrounds. The program includes OEMs, ISVs, ISPs, financial services companies, and manufacturing companies worldwide. Microsoft's goal with participants is to provide the broadest possible feedback on specific scenarios to help ensure quality in security updates. Although the program does require a managed relationship with Microsoft and a Non-Disclosure Agreement, there is no fee or Premier membership required to participate. When there is an opening in the program, customers are typically invited to join the based on several factors. The most important factor is their commitment to safeguarding program data. Other factors that are considered include the nature of their computing environment, their willingness to apply internal resources to testing, and their willingness to participate actively in providing feedback.
To help protect all Microsoft customers, participants in the SUVP are covered by a Non-Disclosure Agreement preventing them from distributing the updates or any information about the updates.
Microsoft instituted the SUVP based on customer feedback and our strong commitment to help produce higher quality security updates for customers. Through the SUVP, Microsoft has been able to collect real customer feedback on update quality to incorporate into the development of the final security updates. That feedback has led to significantly increased quality and better customer experiences in deployment.