Does one bad apple spoil Microsoft's vulnerability sharing program?

Does one bad apple spoil Microsoft's vulnerability sharing program?

Summary: Andrew Storms: There will be people calling for Microsoft to scrap MAPP but considering the market value of the information shared with MAPP partners, one confirmed leak in four years is a pretty impressive track record.

TOPICS: Security, Microsoft

Guest editorial by Andrew Storms

When Microsoft first announced the Microsoft Active Protections Program (MAPP) in 2008, there was a lot of valid speculation that the program might actually end up endangering users instead of protecting them. The thought process was simple: If Microsoft released valuable vulnerability data outside the castle walls, even 24 hours early, it would benefit cyber criminals more than customers. The fear was that the information would leak and speed up the creation more and better exploits that would be released in the wild.follow Ryan Naraine on twitter

That speculation was squashed pretty quickly and the program has been running efficiently ever since.

There have been some unconfirmed rumors about MAPP leaks in the past, but none of them have been as brazen and obvious as yesterday's RDP proof-of-concept exploit code leak.

Microsoft hasn't directly pinpointed that there is a leak in the program, but they have acknowledged a potential problem (to the degree Microsoft PR machine allows).

[ SEE: Microsoft confirms MAPP exploit code leak ]

Here's a quote from Microsoft's post:

"The details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protections Program (MAPP) partners. Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements."

So, what might this might mean for the future of MAPP?

Well, probably not much. There will be people calling for Microsoft to scrap MAPP but considering the market value of the information shared with MAPP partners, one confirmed leak in four years is a pretty impressive track record.

As an optimist, I think this incident just underscores the motivation of almost everyone in the security to work together to reduce customer risk and improve information security programs.

* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.


Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • No harm, no foul

    The leak wasn't that serious. It was only a leak of remote desktop administration of Windows PCs. To China.

    It wasn't even Microsoft's fault. They made all the people they gave that information to promise not to share it. And they did promise - quite sincerely and in writing even.

    Poor Microsoft is the victim here.
  • Emphatically. No. Sharing is good.

    Move on. Microsoft will do more for Humanity if they realize sharing has nothing to do with monetizing.

    Red Hat is setting the example.
    Dietrich T. Schmitz *Your
    • When you can't say some something bad about MS...

      ...use twisted logic to post for Red Hat? That doesn't even make any sense.
      • What would have never been had Microsoft been Open Source?

        Answer: this story.

        Everyone would have been on the same page, sharing.
        Transparency fuels the 'success story' that is Open Source.

        Be afraid. Very afraid. Because it's just not known 'how bad' Microsoft's coding is and because Microsoft is proprietary in nature, the majority of us will never know the answer.

        Yet more lines of text filling the Zero Day blog.
        Dietrich T. Schmitz *Your
    • Idiot

      I dont see red hat making billions in profit per quarter yet hell they dont even have a billion in revunue yet!
  • Sounds like Call for Help! circa 1998

    @ Dietrich

    Ahh, the good ol' days of ZDTV and Leo LaPorte. As much as I used to enjoy watching that show, he would always find so many ways to talk down the Windows juggernaut and throw in some Red Hat/ Flag comments. All these years later, 14 to be exact, people are still holding onto the hope that open source will eventually kill off Microsoft. It seems like with Windows 7, and eventually 8, the exact opposite is happening as Microsoft has went on to sell more than 1.5 billion copies of Windows since Call for Help first came on the air. Sure, iPads are selling like crazy these days, but let's face it, people don't have an alternative to iPad yet, Windows 8 brings that and then some. And Android, the only true open source based tablet available... has been for the most part DOA except with Fire, and no one is going to consider that a serious OS to work with, at least not for the next decade, by that time Msoft with have already launched 3 more versions of Windows and another billion+ licenses.
  • What is Flour Mill Machinery

    Textbook authors have been dealing with publishers with similar to worse terms for years and will actually see tis as a breath of fresh air.