Microsoft to give governments heads up on security vulnerabilities

Editor's note: This article was updated on May 20 to correct the name of the Carnegie Mellon Software Engineering Institute.

Microsoft will share technical information on security vulnerabilities with some government organizations before it publicly releases security patches to help governments protect critical infrastructure.

Government organizations that participate in both of two existing Microsoft programs designed to share security information with governments can get advance access to the vulnerability data through a new pilot program named the Defensive Information Sharing Program (DISP).

Microsoft will start the pilot program this summer and begin the full program later this year, said Jerry Bryant, group manager, response communications for Microsoft, in an e-mail statement. Bryant said early access to that information would let the government organizations get an early start on risk assessment and mitigation.

“This will allow members [of DISP] more time to prioritize creating and disseminating authoritative guidance for increasing network defensive posture actions,” Bryant said.

DISP is one of two pilot programs that Stephen Adegbite, senior security program manager lead in the Microsoft Security Response Center, detailed in a blog post on May 17. Adegbite also described another program, the Critical Infrastructure Partner Program, to share with governments, insights on security policy such as approaches to help protect critical infrastructures.

“Looking at past Internet-based attacks, the trends are pointing to an increase in complex multi-dimensional computer attacks,” Adegbite wrote. “We believe that governments will see increased demands for swifter responses to vulnerabilities that threaten public assets. The need for information to aid in quicker and thorough risk assessments will be paramount.”

Jeffrey Carpenter, manager of the CERT Coordination Center at Carnegie Mellon Software Engineering Institute, said governments have been asking for more timely vulnerability information to better protect critical infrastructure. CERT works with about 40 countries’ computer security incident response teams.

Carpenter said governments want advance notice before security patches are released so they can understand  what a problem is and how it affects economies and critical infrastructure.

“I think this has been an evolving process where Microsoft has listened to the governments of countries around the world and this is working to meet the unique needs" of national computer security incident response teams, Carpenter said.

Only national government organizations will be eligible to participate in DISP. However, participants will be allowed to confidentially share the information with their regional and local entities if they can ensure it won’t be leaked.