The .NET project is run by Microsoft and follows our security reporting and disclosure practices. We publish vulnerability fixes and disclosures most months on Patch Tuesday. Nothing about that is changing. We are announcing the .NET Security Group, a group of organizations that will collaborate on delivering security fixes to the broadest set of .NET users, simultaneously with Microsoft. We’re all better served by getting more deployments patched, quickly and predictably.We’re believers in the concept of upstream open source projects. That includes sharing vulnerability information with other organizations that distribute .NET. We’ve done that with a small set of companies since 2016, starting with Red Hat. Members receive source patches prior to public disclosure so that binary packages can be built, validated, and published at the same time as Microsoft. Membership of this group has been private, by invitation only, and grew to include Canonical, IBM, Red Hat, and Microsoft. That’s how the .NET Security Group started.We are expanding the program to enable organizations that ship their own distribution of .NET to have the same ability to better protect their users. By sharing information about vulnerabilities with trusted partners early, we hope to reduce the time between public disclosure of CVEs and when updates are available for distributions other than Microsoft’s. We believe this will help strengthen the security of the .NET ecosystem.If you’re shipping your own distribution of .NET and interested in joining the group you can apply by completing this .NET Security Group Application.Why did we do this?Security isn’t just a feature – it’s a core value that enables users to innovate with confidence. It is foundational to the trust .NET users place in the platform. With .NET powering workloads across finance, healthcare, government, and other critical industry verticals, even minor vulnerabilities can have outsized impact. Users expect Microsoft to deliver secure-by-default frameworks and rapidly respond to CVEs. We deliver on these expectations today for the Microsoft distribution of .NET.Multiple organizations build .NET from source and ship their own distribution of .NET to their users. Several Linux distributions do this, as do independent software vendors (across both Windows and Linux). In fact, we worked in collaboration with these same organizations to reduce the cost of building .NET, resulting in the dotnet/dotnet repo. We want it to be straightforward and low-cost to distribute security fixes to users.More recently, other organizations came to us asking if they could get access to patches for their End-of-Life servicing businesses. These requests made us realize that it was time to publicize the .NET Security Group and better define its goals. Program members need to be active participants in the .NET upstream project and publish builds for supported .NET versions. Doing that demonstrates a strong commitment to the ecosystem and earned credibility to all participants.As the maintainer of a critical upstream project, it is important for us to secure all major distributions of .NET, our own and those distributed by partner organizations. This change, to expand and publicize the .NET Security Group, will enable us to do just that.What to expectHere’s what you can expect when applying to join the .NET Security Group.Software vendors that want to join the .NET Security Group must complete an intake form.Given the confidential nature of information shared during the program we need to ensure a high degree of trust. Partners will be vetted to confirm business authenticity, security risks, and validated against Trade Sanctions/Do Not Engage/Watch Lists. This vetting can typically take a few days to weeks based on how complete the information provided in the intake form is. Group members will be re-vetted on an annual basis, and the agreement will be renewed for another 1-year term.Based on results of the vetting the partner will be approved for membership in the group. In the unlikely event the vetting cannot be completed with the information provided we may reach out for additional information.Approved members will sign a program agreement outlining the terms of group membership. If a Non-Disclosure Agreement (NDA) is not already in place between the applicant and Microsoft they will also sign an NDA.After this, they will be onboarded into the group.Once onboarded, program members will receive information about CVEs in supported versions of .NET about a week before public disclosure each month.ClosingIf you’re shipping your own distribution of .NET today and interested in joining the .NET Security Group you can apply by completing the .NET Security Group Application.The post Announcing the .NET Security Group appeared first on .NET Blog.