Microsoft offers new security partner program

In a move that the company hinted at in recent months following the Code Red and Nimda worms that exploited vulnerabilities in its software, Microsoft Corp. Thursday announced its Gold Certified Partner Program for Security Solutions.

The new program, which is a component of the company’s existing partner programs, will provide Microsoft customers with references and links to security consultants and companies that have been trained, certified and tested by Microsoft to ensure quality, said Phil Putzel, program manager for the Gold Certified Partner Program.

Companies that participate in the program will be given information about some products before other sources and will also receive technical training, product information, software licenses and sales and marketing aids, Putzel said. The program will officially launch early next month.

To become a member of the Gold-level partner program (Gold is a step higher than the regular program), companies will have to be an existing member of the certified partner program, have at least four employees who hold either MCSE (Microsoft Certified Systems Engineer) or MCSD (Microsoft Certified Solution Developer) certifications with at least two of those employees having passed three Microsoft Certified Professional tests, and must agree to Microsoft’s code of conduct when it comes to disclosure of security vulnerabilities, the company said in a statement. The annual cost of the program is US$1,450, Putzel said.

In return, Gold-level partners will receive training, sales and marketing support, customer referrals and a host of software licenses from Microsoft, Putzel said. In addition, the partners receive dozens of licenses for Microsoft software, including Windows and Office XP, SQL Server 2000, Windows 2000 server and developer tools, he said.

The code of conduct provision of the program is likely to cause controversy, however, as it develops a proposal put forth by Microsoft in November under which information about security vulnerabilities is not disclosed until patches to fix the problems are available. Many in the security and research communities contend that full disclosure of vulnerabilities is essential for creating work-arounds while they wait for patches. Full disclosure can further help stave off future security problems, they say.

Scott Culp, manager of the Microsoft security response center, put forward the proposal in a paper posted on Microsoft’s Web site, and reiterated the idea at the Trusted Computing Conference in November. The full disclosure of security vulnerabilities only aids hackers and led directly to the costly and serious Nimda and Code Red worms that attacked Microsoft’s IIS (Internet Information Services) Web server, he said in the paper. Code Red struck in July and August, Nimda in October.

The code of conduct in the new program will work along the lines of Culp’s proposal, with security consultants and companies pledging to inform the vendor of the problem, giving the vendor time to create a patch and users to apply it, before fully disclosing the flaw, Culp said in an interview Wednesday.

The code of conduct will lead companies to “handle security vulnerabilities responsibly and in a way that will protect the customers,” he said.

Answering critics who charge that the true aim of the program is to hide the costly and embarrassing flaws in Microsoft products from the public, he said, “there is no effort here to try to hide security vulnerabilities.”

“All we have ever suggested is that when a security patch is made available, it’s a good idea to give customers, say, a 30-day grace period” before posting details of how to exploit the vulnerability, he said. The program will allow Gold-level partners to notify their customers of any security holes they find, Culp said.

“It would be ethical to protect that customer’s system against the vulnerability (a partner discovers) …. there’s nothing in the relationship with Microsoft that would prevent that,” he said.

Withholding such information, at least until a patch has been developed and applied, only makes computing safer for users and customers, Culp said.

Microsoft Canada in Mississauga, Ont., is at