Microsoft is allegedly considering making changes to its threat and vulnerability communications program. According to the company, it was this program that could become a key factor in the massive attacks on Exchange servers in March this year.
The Microsoft Active Protections Program (MAPP) is a program for software vendors and partners that gives them early access to vulnerability and other threat data before it is published. MAPP, which has 81 members, aims to ensure that companies can develop strategies and deploy appropriate updates before vulnerabilities become known to the general public.
In particular, program participants are provided with a package of documents with all details of vulnerabilities known to Microsoft. It also includes instructions on how to reproduce the vulnerability and how to identify it. In some cases, the company also provides PoC exploits and other tools to better understand the vulnerability and develop a fix.
Despite the obvious advantages of MAPP, the program has recently come under scrutiny by experts, since it could have (accidentally or intentionally) leaked an exploit, which was later used in the sensational attacks on Exchange servers.
Microsoft is considering revising the program and, in particular, how and when it will provide vulnerability data to partners, sources informed Bloomberg. According to sources, the company suspects that MAPP participants may have "hinted" to attackers about the presence of vulnerabilities in Exchange after they learned about them from Microsoft in February 2021. At least two Chinese companies are under investigation.
MAPP establishes different levels of access for participants that determine what information will be transferred and in what time frame (from several weeks to the disclosure of vulnerabilities to the general public to several days). Potential program changes could include changing the order of participants and their level of access, re-evaluating what Microsoft will share in the future, and adding watermarks to track data transfers and any subsequent leaks.