Microsoft Active Protections Program
Frequently Asked Questions
Microsoft has defined objective, measurable, and tailored membership criteria for prospective participants. The criteria is designed to ensure that Microsoft is able to work with security providers to protect a broad range of customers. We will evaluate the criteria continuously, based on customer and partner feedback, to determine if it needs to be refined.
MAPP has open enrollment for security providers. Please find below the initial selection criteria to apply for membership in MAPP.
Microsoft reserves the right to make membership decisions in its sole discretion. All questions about membership applications should be sent to: mapp@microsoft.com.
Criteria:
- You are willing to sign a Non-Disclosure Agreement with Microsoft?
- You adhere to and practice some form of coordinated vulnerability disclosure?
- You are willing to have your company name and URL displayed on our MAPP website?
- You are willing to exchange threat information with Microsoft and/or actively create updated protections on a regular basis based upon the data provided by Microsoft through MAPP?
- You are able to send and receive data via an API upon acceptance into the program?
- You provide commercially available products or services that either actively protect Microsoft customers (either in the cloud or on premises), detect threats, or generate actionable threat intelligence?
- You do not sell or create products used to attack or weaken the security posture of networks or applications? For example, penetrating testing tools or exploit framework.
MAPP for Security Vendors represents the core of the program that has been in place since 2008 and adds to that even earlier information sharing for qualified partners designed to help protect customers through providing early access to detection data for the upcoming security release, with a requirement for partners to create and deploy signatures within their products. There are three tiers in the MAPP: MAPP Entry, MAPP ANS, and MAPP Validate.
Much like the Microsoft Security Update Validation Program (SUVP), MAPP Validation provides qualified partners with the ability to test MAPP detection guidance. This community-based approach to validating detection information improves the quality of guidance. MAPP Validate is an invite only program that has finite membership and strict participation criteria.
MAPP ANS (Advance Notification Service) is the second tier of the MAPP for Security Vendors program. It makes MAPP data available to qualified partners on five days before the Microsoft Monthly Update Cycle. While this program is open to all security vendors, it is criteria based on program participation, length of time in the MAPP program, and a requirement to be in an information sharing program with Microsoft. Information sharing is covered in the section below.
Entry level MAPP is the traditional MAPP offering, which makes MAPP data available to qualified partners 24 hours before the Microsoft Monthly Update Cycle. All new partner organizations start in the MAPP Entry level tier.
The best way to submit a vulnerability to the MSRC is through the Researcher Portal. An alternative is to send the vulnerability to the MSRC through secure@microsoft.com
Please send any MAPP-related issues or questions to MAPP@microsoft.com. General security escalations and questions not specific to MAPP programs should be sent to secure@microsoft.com.
You can locate the MAPP PGP Key here.
You can locate the GSPSUP PGP key here.
In the MAPP context, “active software security protections” are mechanisms that can detect intrusions into a Microsoft system, or defend a Microsoft system from exploitation attempts, absent the availability of a Microsoft security update for the issue being exploited. For example, antivirus definitions that trigger off of malicious behavior, or IDS signatures that block exploitation attempts, are considered active software security protections.
No. MAPP requires that its members actively create signatures or similar threat remediation for their products in-house. MAPP participants are expected to directly use the data provided to them via the program to develop protections internally.
Yes, MAPP is a public program. If you are accepted as a participant, you may market yourself as a MAPP partner and we will list your organization on our website. The aspects of the program that are confidential are those that pertain to operations and the data that is provided. All confidential information is subject to the Microsoft Non-Disclosure Agreement and a MAPP Agreement.
If you meet MAPP qualification requirements, you can submite your application on the MAPP Portal.
We have a new program called MAPP for Responders that will be launching very soon that may better suit your needs. If this becomes the case, we can work with you to see if this is a good fit..
MAPP partners that do not achieve minimum program objectives are subject to suspension and potential expulsion from the program.
You can reach out to us directly at MAPP@microsoft.com.
Microsoft is committed to minimizing risks to customers, and the eligibility criteria are necessary for targeting protections that cover broad groups of customers. Microsoft will continue to evaluate and update the criteria as appropriate.
- Traditional Detection Guidance
- Malicious URLs
- Windows File Hashes
- Threat Indicators (against active attacks on MS based systems)
- Exploit Indicators
- Other information
Microsoft believes in equitable sharing of security information. There is no one formula for what can be shared, but the data should generally help raise awareness of possible threats in the ecosystem. Some examples of shared data are: File Hashes, Malicious IP Addresses, File Names Associated with Known Attacks, Detonation Data, Indicators of Compromise (all types).