Microsoft Vulnerability Research: How to Be a Finder as a Vendor - Notacon 11

Explore the intricacies of Microsoft's Vulnerability Research program in this conference talk from Notacon 11. Gain insights into the role of vulnerability finders within vendor organizations as Jeremy Brown and David Seidman delve into the origins, goals, and requirements of MSVR. Learn about the process of reporting vulnerabilities, ensuring quality, and monitoring for potential impacts on Microsoft products. Examine real-world case studies involving LibAVCodec, VMware, and BlackBerry, and discover valuable lessons for running your own MSVR program. Understand best practices for reporting vulnerabilities and get answers to common questions about this critical aspect of cybersecurity.

Intro
AGENDA
WHAT WE'RE NOT COVERING
ORIGINS
MSVR ISN'T
MSVR ADVISORIES
WHY THE FOCUS ON THIRD PARTY
GOALS
WHO ARE FINDERS?
MSVR REQUIREMENTS
REPORT VULNERABILITY
MISFIRE: CLASSICO-DAY
ENSURE QUALITY
MISFIRE: NOT A BUG
CHECK FOR MICROSOFT IMPACT
MISFIRE: SALES PURGATORY
MONITOR
MISFIRE: SURPRISE!
SHIP UPDATE
MISFIRE: NO CREDIT
MSVR ADVISORY
CASE STUDY: LIBAVCODEC
CASE STUDY: VMWARE
CASE STUDY: BLACKBERRY PTG
LESSONS LEARNED
WHY YOU SHOULD RUN YOUR OWN MSVR
WHAT WE'D LIKE TO SEE WHEN REPORTING VULNERABILITIES
QUESTIONS?
CONTACT