What is the Security Update Validation Program?
Published Oct 22 2018 09:05 AM 45.2K Views
Microsoft

The Security Update Validation Program (SUVP) is a quality assurance testing program for Microsoft security updates, which are released on the second Tuesday of each month. The SUVP provides early access to Microsoft security updates—up to three weeks in advance of the official release—for the purpose of validation and interoperability testing. The program encompasses any Microsoft products for which we fix a vulnerability (e.g. Windows, Office, Exchange, or SQL Server) and is limited to trusted customers under NDA who have been nominated by a Microsoft representative.

The purpose of the SUVP is to validate Microsoft security updates against participants’ own test images and infrastructures as well as their line of business, third-party, and in-house apps. Issues found prior to public release are quickly escalated through the SUVP directly to the product teams and product managers or engineers that would need to be involved in authoring the fix. This enables rapid root cause analysis (RCA) and remediation, and fixes can be quickly validated with the reporting partner. To protect the confidentiality of privately reported vulnerability information, SUVP participants are not given vulnerability details and are contractually disallowed from reverse engineering the updates or otherwise verifying the effectiveness of the security measures being implemented.

The benefit of participating in the SUVP program is the ability to identify issues that would impact your business before Microsoft security updates are released broadly. Once identified, issues are quickly triaged and mitigated to the extent possible. This, in turn, allows you to keep your production Windows machines (or those of your customers) secure and up-to-date each month without concerns about regressions in functionality.

To be considered for participation in the SUVP, please have your Microsoft representative reach out to SUVP Onboarding at SUVPRecruit@microsoft.com to submit a nomination. The program requires that participants sign a SUVP contract and have an active Azure Active Directory (Azure AD) tenant to enable distribution of content via Microsoft Collaborate.

8 Comments

Question from some in the peanut gallery:  Can you import the updates into WSUS or SCCM?

Brass Contributor

Is this like a "Windows Insider" type option for Windows Updates? If so, can you explain the scenarios for this use?

Not exactly. You get the security updates (second Tuesday patches) a week or two ahead of time and you test it on sample machines.  Especially if you have funky LOB software that gets broken with updating this can help you - and Microsoft - identify issues ahead of time.  You don't push these updates out to all of your workstations, it's a test bed ahead of the normal second Tuesday.   You aren't testing new features, merely ensuring that we all get quality updates on patch (security) Tuesday.

Copper Contributor

Hello i remember when monthly rollups were introduced to Windows 7, it was told, that on 3rd tuesday of the month reliability and bug fixes can be tested and security fixes are included together with following patchday (2nd tuesday). It was told, that it is exactly how it already works for Windows 10.

 

Now here you are speaking about security updates, which can be tested on 3rd tuesday, is it new change or was it this way before? Also are reliability and bug fixes included on 3rd tusday aswell? 

 

 

Microsoft

Hi, like to hear more information on this program. 1 of my customer is interested. Thank you.

Silver Contributor

It would have been nice, like if there was a website and the participators would have been login with their Azure AD and sign up and fill up the form. Asking them to send an email is a traditional way and having a dedicated website to do this would be more professional and in this case only those with Azure AD would be able to participate and this would eliminate disqualified candidates.

In addition, I am wondering how you would guarantee, they won't abuse the vulnerability?

Copper Contributor

Is this Program still active.

Copper Contributor

is this program still active and how to use.

Version history
Last update:
‎Oct 22 2018 09:53 AM
Updated by: