Information Sharing and Exchange

The mission of Microsoft’s Government Security Program (GSP) is to build trust through transparency. Since the program’s inception in 2003, Microsoft has provided visibility into our technology and security artifacts, which governments and international organizations can use to help protect themselves and their citizens. The Information Sharing and Exchange offering enables Microsoft to share and exchange materials about security threats, vulnerabilities, anomalous behavior, malware information, and security issues against or related to Microsoft products and services.

This offering brings together groups and resources across the Microsoft environment to help governments protect citizens, infrastructure, and organizations.

The Information Sharing and Exchange (ISE) offering provides

Name Detail
Advanced Notice of Security Vulnerabilities
  • 5-day advanced notice of vulnerabilities with release notes and affected software tables
  • 24-hour advanced notice including exploitability index
  • Malicious URLs
  • Feed of potentially malicious publicly facing servers and services detected by Bing crawlers
  • Updated every three hours, 5-day cycle of data
  • CTIP Botnet Feeds
  • Provided by the Digital Crimes Unit’s (DCU) Cyber Threat Intelligence Program (CTIP)
  • Botnet data is tailored to the agency (or country code top-level domain in the case of CERTs)
  • 4 feeds: Infected device, Command & Control, IoT, and Domains
  • Delivered near real-time, hourly, or daily (deduped)
  • Clean File Meta Data
  • Clean file hash data often used for allow-listing and forensics
  • Updated every 3 hours
  • Covers all Microsoft binaries on the Microsoft download center
  • Partnership
  • Information exchange through a variety of forums
  • Access to the Digital Crimes Community (DCU) Portal
  • Threat intelligence data sharing with the Digital Crimes Unit (DCU)
  • Direct engagement with engineering groups and other Microsoft teams including the Microsoft Security Response Center (MSRC) and Windows Defender Security Intelligence
  • Data Feeds Delivery

    The feeds offered under the ISE authorization reside within several groups including the Microsoft Security Response Center (MSRC), the Digital Crimes Unit (DCU), Bing, and Product Release and Security Services (PRSS).

    The GSP team provides a web-based application that allows GSP agencies to access the ISE data feeds from a single interface. All communications containing sensitive data are encrypted.

    Data Feed delivery

    Data Use Descriptions

    Advanced Security Update Notification The notice package lists all the CVEs (Common Vulnerabilities and Exposures) being addressed in the release. Each CVE contains a set of information including the Vulnerability Description (including metrics), Exploitability Index, and Affected Software.

    Content for each CVE

    Bing Malicious URLs The Bing Malicious URL feed contains publicly facing servers or services that have been identified as being potentially malicious. New files are uploaded every three hours; full data sets are generated in 5 days. Many agencies import the JSON files directly into their existing threat intelligence analysis tools.

    Geo map of IPs

    Threat types

    Clean File Meta Data (CFMD)

    The Clean File Meta Data (CFMD) feed contains cryptographic signatures (SHA256 hashes) for the files contained within Microsoft products. These are often used in forensic examinations of potentially compromised devices and for allow/disallow file execution in critical systems.

    Clean File Metadata

    CTIP Botnet Feeds: Infected Data Feed

    The DCU provides compromised victim botnet data via the DCU‘s CTIP threat intelligence service Infected device data feed, to enable network protection scenarios for CTIP subscribers, and to help facilitate remediation of the compromised systems with the goal of reducing the number of infected systems on the Internet. Other feeds include the Command and Control (C2), IoT, and Domains lists that are often used to restrict traffic flow to known malware networks via firewalls and protective DNS.

    CTIP data 1

    CTIP data 2

    Contact Us

    Contact your local Microsoft representative to learn more about the Government Security Program.