Microsoft to Give Governments Earlier Bug Warnings
Governments around the world told Microsoft they need more information sooner regarding patches and other security-related incidents, and the software giant delivers.
As the number of cyber threats continues to rise worldwide, Microsoft has increasingly received requests from governments around the world for earlier and more information on what security patches will be released during each "Patch Tuesday" patch cycle.
In response, Microsoft (NASDAQ: MSFT) announced two programs for governments at the AusCERT 2010 conference in Gold Coast, Queensland, Australia this week. The conference is hosted by the Australian Computer Emergency Response Team (AusCERT).
"Microsoft is moving ahead with the offering of two programs aimed at sharing key technical information on Microsoft vulnerabilities and strategies to aid in securing critical infrastructure," Steve Adegbite, senior security program manager lead, said in a post to the Microsoft Security Response Center (MSRC) Ecosystem Strategy Team blog.
"Governments serve as the entity to coordinate defensive actions between both private and public sectors to ensure that their constituents are protected as much as possible from computer based attacks. In order to do both of these roles effectively, they need access to critical information as early as possible to assess, plan and execute actions to protect people," the post continued.
The company already provides some of this advance information to security firms -- more information, in fact, than IT professionals typically receive in Microsoft's "advance notification" e-mails that the company sends out five days prior to the release of each month's Patch Tuesday security fixes.
Microsoft's two new programs fall under the aegis of an existing program called the Security Cooperation Program (SCP).
"The SCP provides a structured way for governments to collaborate with Microsoft on security initiatives in key areas, including computer incident response, attack mitigation, and citizen outreach," Jerry Bryant, group manager for response communications in the MSRC, said in an e-mailed statement.
One of the two programs will be called the Defensive Information Sharing Program (DISP), which will provide early technical information on the vulnerabilities that will soon be patched to government entities at the national level who are members of both the SCP, as well as the company's Government Security Program (GSP).
The second program, called the Critical Infrastructure Partner Program (CIPP), aims to provide insights on "security policy, including strategies, [and] approaches to help aid the protection efforts for critical infrastructures," Adegbite's blog post said.
Microsoft plans to launch a limited pilot of the DISP program this summer, and intends to launch the full program later this year. The second program, CIPP, is available now.
"CIPP is currently open to individual departments, agencies and ministries in national governments that are currently members of the GSP," Bryant said.