Microsoft Limits Chinese Access to Cybersecurity Flaw Database after Hack

Microsoft has scaled back Chinese companies' access to its early warning system for cybersecurity flaws, MAPP, after hackers used details from the program to fuel attacks on Microsoft SharePoint servers in July. The company believes that some Chinese firms in the program were linked to the surge in attacks and will no longer receive proof-of-concept code. This move follows a pattern of leaks from Chinese firms in MAPP, including a 2012 leak and a 2021 global spying campaign. Other major US tech firms, such as Google, have taken different paths in China, with Google leaving the market after a hacking case in 2010 and Apple still relying heavily on China for sales and production.

Microsoft Corp. has restricted Chinese companies' access to its early warning system for cybersecurity flaws, the Microsoft Active Protections Program (MAPP), following a series of attacks that exploited vulnerabilities in its SharePoint software. The company believes that some Chinese firms in the program were involved in the attacks and will no longer provide proof-of-concept code to these participants [1].

The MAPP program is designed to provide security software companies around the world with early details about flaws in Microsoft products, enabling them to update their protections more quickly. However, Microsoft's investigation into the recent attacks suggests that details about the vulnerabilities may have leaked from the program, potentially leading to the hacks [1].

The decision to curtail Chinese companies' access to the program follows a pattern of leaks from Chinese firms in MAPP. In 2012, Microsoft accused Hangzhou DPtech Technologies Co. of breaching a non-disclosure agreement and disclosing information that exposed a major vulnerability in Windows. More recently, in 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign [1].

Microsoft's move comes amid growing concerns about cybersecurity cooperation with China. A 2021 law in China mandates that any company or security researcher who identifies a cybersecurity vulnerability must report it within 48 hours to the Ministry of Industry and Information Technology. This requirement has raised concerns about the potential for Chinese firms to use information from MAPP for their own purposes [1].

While Microsoft has taken steps to prevent misuse of the program, the company has also shut down its transparency centers in China, where the government could review the source code of its technology. Microsoft had previously provided access to its source code in China since at least 2003, but it has since retired these facilities [1].

Microsoft's actions are part of a broader trend of US tech firms reassessing their relationships with China. While some firms, like Google, have left the Chinese market after hacking cases, others, like Apple, continue to rely heavily on China for sales and production [1].

References:
[1] https://www.bloomberg.com/news/articles/2025-08-20/microsoft-curbs-early-access-for-chinese-firms-to-cyber-flaws
[2] https://www.businesstimes.com.sg/companies-markets/telcos-media-tech/microsoft-curbs-early-access-chinese-firms-notifications-about-cybersecurity-flaws