The Security Update Validation Program (SUVP) is a quality assurance testing program geared toward Microsoft's monthly security update release, which occur every second Tuesday (also referred to as Update Tuesday or Patch Tuesday). SUVP partners test these security updates prior to Update Tuesday and provide us with feedback regarding usability, bug reports, test reports, etc.
OK, so no worms here, but you can certainly be the early bird when it comes to testing security updates—three weeks before they go live on Update Tuesday! How? By joining the Security Update Validation Program. This post helps you familiarize you with the SUVP and offers answers to common questions.
Q: Who can join SUVP?
A: Trusted partners under NDA.
Q: What’s the scope of SUVP?
A: The scope of the program includes any Microsoft product for which we fix a vulnerability (Windows, Office, Exchange, SQL, etc.). From the partner’s perspective, the scope is largely determined by content relevancy. It’s important to note that SUVP is an application compatibility testing program, not a vulnerability testing program.
Q: Is there a cost to join or participate in SUVP?
A: There is no cost.
Q: What’s in it for me? Why should my company participate in SUVP?
A: Great question! Participating in the program lets you:
Q: How is a typical SUVP testing cycle structured?
A: Each month’s testing is called a Test Pass. Each Test Pass starts three weeks prior to Update Tuesday. This is when the pre-release security updates are first available for download and testing. These updates are made available through Microsoft’s Collaborate Portal and, soon, a new Azure Storage solution.
New and updated pre-release security updates are continually made available through Collaborate during the three-week testing cycle.
If an issue arises during the test pass, the customer may submit a bug through Collaborate. The SUVP team will proceed with escalating the bug to Engineering for troubleshooting and resolution.
Q: Are there program requirements?
A: Yes, if during any given month, your testers are testing, they must provide feedback in the form of a “task” in Collaborate. On the other hand, if an issue arises, the tester must notify SUVP by submitting a “bug.”
Q: Do we have to test everything every month?
A: No. Partners only need to test products that are in scope to their environment and only when it makes sense for their organization. We only ask that when our customers test, they provide feedback. This is a quick process that involves check boxes relevant to the products you’ve tested.
Q: What if my test team is on holiday? Will I be penalized?
A: No, we only ask that you test as frequently as you are able. If you are not able to test for three consecutive months or longer, we ask that you notify us beforehand.
Q: How do I retrieve the pre-release security updates for testing?
A: The updates can be downloaded through the Collaborate portal or the newer Azure Storage solution as .msi files or WSUS import packages.
Q: Can I connect Microsoft Endpoint Configuration Manager to access the updates? (Updated: August 3, 2021)
A: No. Collaborate does not support Configuration Manager. However, you can download the updates into your environment and utilize Configuration Manager once downloaded.
Q: Can I utilize WSUS?
A: Yes! We do provide WSUS content via a zip file that can be consumed by Configuration Manager.
Q: I’m interested! How do I get started?
A: You will first need to submit a nomination via the SUVP nomination form. The SUVP team will review and provide a response within one week.
Q: Okay, I’m approved! Now what?
A: First, you’ll need to sign an SUVP contract and NDA. If you do not have an NDA on file, you’ll need to get that done. (The SUVP contract is separate from any contract you may already have in place with Microsoft, so having had signed any other Microsoft contract does not exempt you from signing the SUVP contract.) Next, a tenant within the Partner Center must be created. This is an Azure tenant, but there is no cost, and the tenant is not utilized as your production tenant. However, you can register your production Azure tenant in the Partner Center if you prefer.
Well, that’s the end of our Q&A. If you have more questions or you’re interested in the program, please contact us at suvprog@microsoft.com. Your feedback will help us add to the Q&A here and can also improve the quality of the program. Thanks!