Synopsis
You may think of Microsoft as a company that fixes vulnerabilities, but we frequently find security issues in other vendors’ products as well. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same behavior, in the role of a finder, that we’d like to see from other companies and researchers from all over the world. We make sure that our reports are complete and accurate and communicated securely and effectively to the right place. This presentation will cover how and why MSVR was created, an in-depth look at our operations and what we’ve learned so far with this program. We’ll also discuss how your company can have a centralized program to do the same. We’ll finish things off with a run through of an example vulnerability that one of our finders discovered, reported through MSVR, and what is was like working to get it fixed with an advisory we released thereafter.
Bio
Jeremy Brown

Jeremy Brown is a developer / security researcher at Microsoft. He started off there with the Malware Protection Center, reversing patches, analyzing malware and exploits in the wild, before then moving on to Windows Security to make the next version of Windows even more secure than the last. His interests include things like kernel security, static code and binary analysis, fuzzing, vulnerability coordination and disclosure as well as bug hunting techniques.

David Seidman:
David Seidman is a Senior Security Program Manager Lead on the Microsoft Security Response Center team, where he manages Microsoft’s response to normal and high-priority security incidents such as active attacks using an unpatched vulnerability. Prior to working at the MSRC, David managed development of Microsoft Office security updates and service packs. He holds a Bachelor’s degree in Computer Science and a Master’s in Cognitive and Neural Systems from Boston University. When not putting out fires on the internet, David enjoys triathlon, mountain climbing, Brazilian jiu jitsu and brewing his own beer.