Microsoft (MS) has decided not to provide relevant information to Chinese corporations when security flaws in its software (SW) are discovered, Bloomberg reported on the 20th (local time).
MS spokesperson David Cuddy said, "We implemented a new system starting last month," noting that corporations in countries with a reporting obligation to the government will be affected by the new system. Consequently, corporations, including those in China, will not receive key information about security vulnerabilities, but will only receive general descriptions. Additionally, it has been decided to send the code at the time the security patch to fix the vulnerabilities is distributed.
MS has been operating an Active Protection Program (MAPP) in collaboration with security corporations worldwide. This system provides security corporations with information about security flaws in MS products before patches are publicly released, enhancing customer protection. However, this change came in the wake of a large-scale hacking attack on SharePoint. More than 400 institutions and corporations, including the U.S. National Security Agency (NSA), were hacked during this attack. MS has identified the hackers behind this attack as the state-sponsored groups known as Lienan Typhoon and Violet Typhoon from China.
Immediately after the hacking incident, MS investigated the possibility that information related to vulnerabilities was leaked from MAPP partners. The MAPP group includes more than 12 Chinese technology and security corporations, which could receive related information at least 24 hours before security patches were publicly released. MS determined that information related to Exchange Server vulnerabilities had also been leaked by its Chinese MAPP partners in 2021.
Bloomberg reported that MS's decision stemmed from Chinese law. Chinese law mandates that corporations or researchers who discover cybersecurity flaws must report them to authorities within 48 hours. Dakota Carey from U.S. cybersecurity corporation SentinelOne said, "MS's decision to restrict access for Chinese corporations was a good choice," providing a positive assessment.