Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks.

The program, codenamed Omega, features a Defensive Information Sharing Program (DISP) will offer governments entities at the national level with technical information on vulnerabilities that are being updated in our products.

Microsoft’s Steve Adegbite explains:

We will provide this information after our investigative and remediation cycle is completed to ensure that DISP members are receiving the most current information. While this process varies from issue to issue due to the complex nature of vulnerabilities, disclosure will happen just prior to our security update release cycles.

The company also announced a second information sharing program called the Critical Infrastructure Partner Program (CIPP) that aims to “provide valuable insights on security policy, including strategies, approaches to help aid the protection efforts for critical infrastructures,” according to Adegbite.

Categories: Government, Malware, Vulnerabilities

Comments (4)

  1. jf
    1

    So Microsoft has had a beta-testing patch program for years as a semi-backdoor method of doing basically this; I know I’ve worked for several security companies that have been part of it and it’s by and large been a “here is your patch and a write-up explanation of the problem/detection/et cetera”. It’s something that on more than one occasion people have been surprised that I know about and is supposed to be fairly secret, but well, a lot of people know about it. I first became aware of it in ~2005, although from talk to people my impression is that it’s been around for a lot longer.

    If I had to guess, I would say that these new programs are just rebranded versions of the same program, or an attempt at legitimizing it, or hell it could just be a ‘hey this has gotten so big its chaotic and its not really secret anymore so lets redo it” type of thing. Either which way, people in the security industry have been receiving pre-release patches for years.

  2. Anonymous
    2

    So, the way I see it. We now have a legit way of telling hostile governments about ways to exploit known issues. Sure, there may only be a few weeks to develop an actual exploit, but the opportunity is there.

  3. Corrector
    3

    And there are not expecting non-US citizen to do the “responsible(sic) disclosure” thing knowing that, do they?

  4. Corrector
    4

    And there are not expecting non-US citizen to do the “responsible(sic) disclosure” thing knowing that, do they?

Comments are closed.