Microsoft restricts China's early access via MAPPS to vulnerabilities

Sicherheit (Pexels, allgemeine Nutzung) [German]Teir China connections seem to have once again "come back to haunt" at Microsoft. I have come across reports that Microsoft no longer grants security researchers from China early access to zero-day vulnerabilities or proof-of-concept (PoC) exploits. The SharePoint incident involving hacks by Chinese groups casts a shadow over the future.

Microsoft's China connections

Microsoft had been working for many years with software specialists in China to maintain its cloud services. I reported on this incredible arrangement in my blog post Insane: Microsoft let Chinese software engineers maintain the cloud of US Department of Defense. After the matter came to light, Microsoft 'quietly' buried it (see Microsoft says it's ending U.S. Defense Department cloud maintenance by Chinese software engineers).

Well, it had to happen sometime, and it wasn't that bad. "What's there to get at the US Department of Defense? We always have to reassure the people in China, otherwise they'll fall off their chairs laughing," was the unofficial statement from a Microsoft spokesperson who wished to remain anonymous. And for years, US supervisors were there to keep an eye on what people in China were doing on US servers.

A US cyber expert is more critical and sees Microsoft as a repeat offender that doesn't really care about security when there's money to be made. I put together this assessment in the German article Cyber-Guru: Microsoft betrachtet Sicherheit als Ärgernis. An English version may be found at The Register.

And this was essentially confirmed, because after the SharePoint security incident (see Sharepoint servers are attacked via 0-day vulnerability (CVE-2025-53770)), which involved Chinese attackers, it became known that maintenance of the SharePoint software was carried out in China (see New insights on SharePoint Gate: Microsoft uses employees from China for maintenance).

Investigation of the SharePoint incident

After Chinese hacker groups were able to quickly carry out attacks on as-yet-unpublicized SharePoint vulnerabilities, compromising over 400 companies, a sinister suspicion arose: Could China have accessed internal information about vulnerabilities at Microsoft through a leak?

In addition to the possibility that information was extracted by SharePoint maintenance personnel in China, there was a second channel. I reported on this in the article New insights on SharePoint Gate: Microsoft uses employees from China for maintenance. There is a program called MAPPS that gives security companies advance access to vulnerabilities and upcoming patches.

Microsoft investigated whether a security breach in its early warning system for cybersecurity companies (MAPPS) enabled Chinese hackers to exploit vulnerabilities in its SharePoint service before they were fixed.

Microsoft restricts MAPPS access from China

I have now read in The Register article Microsoft reportedly cuts China's early access to bug disclosures, PoC exploit code that there are reports that Microsoft is restricting access to MAPPS for individuals and companies from China.

David Cuddy, spokesperson for Microsoft, was interviewed by Bloomberg about the MAPPS program. According to Cuddy, MAPP has begun restricting access for companies in "countries where citizens are required to report vulnerabilities to their governments," including China. Companies in these countries no longer receive "proof-of-concept" exploit codes, but instead "a more general written description" that Microsoft sends out at the same time as the patches, Cuddy told the news agency. However, Microsoft declined to comment to The Register.

Microsoft restricts China's early access via MAPPS to vulnerabilities

Microsoft's China connections

Investigation of the SharePoint incident

Microsoft restricts MAPPS access from China

Leave a Reply Cancel reply

Blogs

Links

Social networks

Awards

Sponsors