It wasn't too many years ago that Microsoft was slammed for having poor product security, particularly since their OS and applications were in use by so many businesses and consumers. Microsoft eventually took it to heart and developed processes and techniques to ensure more robust security for their products. Part of their security practice is to provide a yearly report to show initiatives used to foster deeper industry collaboration, increase community-based defenses, and better protect customers.
The report for June 2012 – July 2013 is now available for download here: Microsoft Security Response Center (MSRC) Progress Report 2013
The 27 page report gives the usual items you expect Microsoft to provide such as security statistics, zero-day vulnerability data, and the vendor's view on the exploit and vulnerability marketplace. But there's some additional pieces in this report to show they are continuing security efforts for future releases such as Internet Explorer 11 and Windows 8.1. The report also provides updates to security-related programs such as the Microsoft Active Protections Program (MAPP), Enhanced Mitigation Experience Toolkit (EMET) 4.0, and three new bounty programs with considerable cash payouts: Mitigation Bypass Bounty, Bluehat Bonus for Defense, and the Internet Explorer 11 Bug Bounty effort.
During the June 2012 – July 2013 period, Microsoft released 92 security bulletins, addressing 246 individual vulnerabilities. Only two out-of-band updates were issued and both were aligned toward Internet Explorer.
Incidentally, I had the pleasure of interviewing the Vice President of Customer Support Services (CSS) recently who walked me through some new processes they have put in place to ensure release quality based on Microsoft's new accelerated product release schedule. I'll be posting that interview soon, so check back.
