Exploits or vulnerabilities? If they are handing out fully built exploits, I have a problem with it. If they are just vulns then yeah, it is probably MAPP which isn't news really.
I'd argue it doesn't really matter, as I assume the US government is fully capable of creating a fully-built exploit out of a major software company's early disclosure of a vulnerability... And yes, I also assume they are using it to their full potential for surveillance (or put another way, unless someone told them explicitly not to, why wouldn't they?). And indeed, this is what the article itself hints at: this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.
I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.
Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).
Security researchers are in high demand right now and with good reason - a competent security researcher can write an exploit given a limited amount of information, and I find it unlikely MS themselves necessarily has exploit code for all situations.
I bring this up because there's nothing particularly magical about writing exploits, even if it isn't a skill a ordinary programmer possess. If the vulnerability has already been found, so whether or not this is simply MAPP/CIPP or something more nefarious, your distinction seems a bit academic.
If they are handling out exploits, MSFt management is pretty bad incompetent. This would negatively affect their sales to foreign companies and sovereign nations. US government may not hack us companies but there does look like there some evidence they hack foreign countries and governments. And MSFT is handing over keys to the US government.
Depend on the timing - if NSA gets info less than a patch tuesday before me it is no big deal. If it is more than it is huge and will hurt them in the long run.
I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.
Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).
[1] http://www.microsoft.com/security/msrc/collaboration/mapp/cr...