Microsoft announced on Tuesday that it plans to extend its Active Protections Program (MAPP) to include vulnerability information sharing from Adobe.
The announcement, made at the Black Hat USA 2010 conference, called upon the broader security community to move to coordinated vulnerability disclosure. Launched in October 2008 by the Microsoft Security Response Center, MAPP is a collaborative effort that allows for information sharing on Microsoft product vulnerabilities with security software providers.
Adobe plans to join Microsoft and share its vulnerability information with 65 other MAPP members later this year. “Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers,” said Brad Arkin, senior director of product security and privacy at Adobe.
Microsoft also took the opportunity to drum up support for responsible vulnerability disclosure. "Microsoft believes coordinated vulnerability disclosure is when newly discovered vulnerabilities in hardware, software and services are disclosed directly to the vendors of the affected product, to a CERT-CC or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately," said a Microsoft spokesperson. The strong statement is likely a response to a Google engineer who released proof of concept code for an un-patched vulnerability last month.