Responsible Disclosure

Filling A Gap In the Vulnerability Market – First Bounty Notification

Wednesday, July 10, 2013

When Microsoft decided to offer not one but three new bounties, paying outside researchers directly for security research on some of our latest products, we put a lot of thought into developing those bounty programs. We developed a customized set of programs designed to create a win-win between the security researcher community and Microsoft’s customers, by focusing on key data about what researchers were doing with vulnerabilities they found in our products.

Read More

• BlueHat Prize
• Bounty
• Bountyprograms
• Internet Explorer (IE)
• Microsoft Windows
• Responsible Disclosure
• Security Research
• Zero-Day Exploit

Coordinated Vulnerability Disclosure Reloaded

Tuesday, April 19, 2011

Today on the MSRC Blog, Matt Thomlinson announced three new efforts to provide more transparency into Microsoft’s vulnerability disclosure process. These included a Coordinated Vulnerability Disclosure (CVD) at Microsoft procedures document, the first release of MSVR Advisories on vulnerabilities that were discovered by Microsoft and fixed by affected vendors, and an internal employee disclosure policy.

Read More

• CVD
• MSVR
• Responsible Disclosure

Coordinated Vulnerability Disclosure: Bringing Balance to the Force

Wednesday, July 21, 2010

Today on the [MSRC blog,](«http://blogs.technet.com/b/msrc/archive/2010/07/22/announcing-coordinated-vulnerability-disclosure.aspx> >) Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated Vulnerability Disclosure. I wanted to provide some context and history on how this came about. This post is about changing the way we at Microsoft talk about some familiar disclosure concepts, and is meant as an introduction to how Microsoft would like to engage with researchers.

Read More

• Black Hat
• Community-based Defense
• EcoStrat
• Exploitability
• Microsoft Active Protections Program (MAPP)
• Microsoft Vulnerability Research (MSVR)
• Mitigations
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Risk Assessment
• Security Advisory
• Security Assurance
• Security Bulletin
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools
• Zero-Day Exploit

Strengthening the Security Cooperation Program

Tuesday, May 18, 2010

Handle: Cap’n Steve IRL: Steve Adegbite Rank: Senior Security Program Manager Lead Likes: Reverse Engineering an obscene amount of code and ripping it up on a snowboard Dislikes: Not much but if you hear me growl…run G’day Mate! I have always wanted to say that. I am here at the AusCERT 2010 conference in the beautiful Gold coast, Australia.

Read More

• CERT
• Community-based Defense
• Internet Explorer (IE)
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Risk Assessment
• Security Advisory
• Security Assurance
• Security Bulletin
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools

Thank you Buenos Aires!

Monday, April 05, 2010

Handle: C-Lizzle IRL: Celene Temkin Rank: Program Manager 2 & BlueHat Project Manager Likes: Culinary warfare, BlueHat hackers and responsible disclosure Dislikes: Acts of hubris, MySpace, orange mocha Frappaccinos! Hey Everyone, As I’m sure you are all well aware by now, the second installment of the BlueHat Security Forum: Buenos Argentina Edition shipped on March 18, 2010, and was a resounding success.

Read More

• BlueHat Security Briefings
• Community-based Defense
• EcoStrat
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Security Assurance
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Intelligence Report
• Security Research
• Watering Hole

Hacker Olympics: a shout-out from Vancouver, BC!

Thursday, April 01, 2010

Handle: Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni Handle: Mando Picker IRL: Dustin Childs Rank: Security Program Manager Likes: Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins

Read More

• CanSecWest
• Exploitability
• Internet Explorer (IE)
• MSRC Ecosystem Strategy
• Patch
• Responsible Disclosure
• Security Conference Engagement
• Security Ecosystem
• Security Engineering
• Security Research
• Watering Hole
• Zero-Day Exploit

BlueHat Security Forum: Buenos Aires Edition--Shipping!

Wednesday, March 17, 2010

Handle: Silver Surfer IRL: Mike Reavey Rank: Director, MSRC Likes: Warm weather, Battlestar Galactica, and responsibly reported vulnerabilities Dislikes: Rain, Rain without end, Clouds with potential for rain, reality TV, and unpatched vulns I’m here at the second edition of the BlueHat Security Forum, this time in Buenos Aires. So far it is shaping up to be an immensely successful event.

Read More

• Attack
• BlueHat Security Briefings
• CERT
• Community-based Defense
• Defense-in-depth
• EcoStrat
• End to End Trust
• Exploitability
• Hallway Tracks
• Microsoft Vulnerability Research (MSVR)
• Mitigations
• MSRC
• MSRC Ecosystem Strategy
• Patch
• Responsible Disclosure
• Risk Assessment
• Security Advisory
• Security Assurance
• Security Bulletin
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Intelligence Report
• Security Research
• Security Tools
• Watering Hole

Numbers, Big Numbers, at the RSA Conference 2010

Monday, March 15, 2010

Handle: Cluster IRL: Maarten Van Horenbeeck Rank: Senior Program Manager Likes: Slicing covert channels, foraging in remote memory pools, and setting off page faults Dislikes: The crackling sound of crypto breaking, warm vodka martni San Francisco has always been a somewhat odd but pleasant outpost with an appeal that attracts people from all over.

Read More

• CanSecWest
• Community-based Defense
• EcoStrat
• End to End Trust
• Hallway Tracks
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Research

Snowpacalypse Now (I love the smell of briefings in the morning)

Thursday, February 18, 2010

Handle: Avatar IRL: Karl Hanmore Rank: Senior Security Strategist (aka Sergeant Grunt) Likes: Getting the job done, bringing the fight to the bad guys, good single malt whiskey Dislikes: Cowards, talkers not doers, red tape, humidity Handle: Mando Picker IRL: Dustin Childs Rank: Security Program Manager Likes: Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins

Read More

• Black Hat
• CanSecWest
• CERT
• EcoStrat
• Hallway Tracks
• Internet Explorer (IE)
• Microsoft Windows
• MSRC
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Risk Assessment
• Security Advisory
• Security Conference Engagement
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools
• Watering Hole

BlueHat Security Forum: Buenos Aires Edition

Wednesday, February 10, 2010

Handle: C-Lizzle IRL: Celene Temkin Rank: Program Manager 2 & BlueHat Project Manager Likes: Culinary warfare, BlueHat hackers and responsible disclosure Dislikes: Acts of hubris, MySpace, orange mocha Frappaccinos! Hey Everyone! What speaks English, Portuguese and Spanish, has a hundred set of eyes, and battles in the defense of good against evil on a daily basis?

Read More

• BlueHat Security Briefings
• Community-based Defense
• Defense-in-depth
• EcoStrat
• End to End Trust
• Internet Explorer (IE)
• MSRC Ecosystem Strategy
• Responsible Disclosure
• Risk Assessment
• Security Assurance
• Security Conference Engagement
• Security Development Lifecycle (SDL)
• Security Ecosystem
• Security Engineering
• Security Research
• Security Tools
• Watering Hole