Microsoft's security team bolstered its attempt to play ball with third parties yesterday, rolling out the third programme in a week designed to help others with security issues.
The Microsoft Vulnerability Research (MSVR) initiative will see the company formally alert third-party vendors to security bugs in their software.
In the course of its own software development, which includes finding security flaws, Microsoft's researchers sometimes find bugs in other vendors' products, said Andrew Cushman, director of security response and outreach. But previous attempts to alert other vendors had been ad hoc, and MSVR formalised the process, he said.
Cushman admitted Microsoft would not be putting any more code analysers on the team, but one or two extra employees would be tasked with taking code flaws found in third-party products by the Microsoft security team and bringing them to light.
This puts Microsoft in the same position as the many security researchers who bring software flaws to its attention, and the company has developed a policy of responsible disclosure. "We will not make details of the vulnerability public until an update is available," said Cushman.
No cash would change hands for vulnerability disclosures, he said, adding, "We will ask for recognition so that they credit us in their bulletins or advisories."
Earlier this week, the firm unveiled its Microsoft Active Protections Program (MAPP) and Exploit Index initiatives, designed to assist other security vendors and Microsoft customers with information about security issues.