Microsoft Restricts China’s Access to Vulnerability Data After Suspected Leaks

Microsoft has restricted Chinese companies’ access to early notifications about vulnerabilities in its products. The decision follows an internal investigation into potential leaks from the Microsoft Active Protections Program (MAPP), a system designed to share details of security flaws with trusted partners ahead of official patch releases. Suspicion arose in the wake of large-scale attacks on SharePoint servers, during which China-linked threat actors compromised more than 400 government agencies and corporations, including the U.S. National Nuclear Security Administration.

According to Microsoft spokesperson David Cuddy, new restrictions will now apply to MAPP participants in countries where companies are legally obliged to report vulnerabilities to government agencies. This includes China, where a 2021 law requires disclosures of cybersecurity issues to the Ministry of Industry and Information Technology within 48 hours. Previously, such partners received technical details and proof-of-concept code a full day before security updates were published. Going forward, they will instead receive only brief written descriptions of vulnerabilities, and only at the same time as official updates are released.

Microsoft emphasized that any partners found violating program rules or engaging in offensive cyber operations are removed from MAPP. The company did not disclose the outcome of its investigation into the SharePoint-related leaks, noting only that multiple scenarios are being considered.

Concerns about Chinese participants in MAPP are not new. As far back as 2012, Microsoft accused Hangzhou DPtech Technologies of violating non-disclosure agreements, and in 2021 suspected two Chinese partners of leaking details about Exchange Server vulnerabilities, which subsequently fueled a global attack attributed to the Hafnium group.

The Chinese embassy in Washington stated that it was unfamiliar with the details of either the investigation or the new restrictions but stressed that cyberthreats are a shared global challenge requiring joint efforts. At the same time, Chinese officials reiterated their opposition to any accusations of cyberattacks.

Microsoft also confirmed for the first time the closure of its transparency centers in China, where government officials had previously been allowed to review the source code of Windows and other technologies to verify the absence of surveillance backdoors. According to Cuddy, these centers “have long been closed,” and no visits had taken place since 2019.

American analysts have largely welcomed the stricter rules. SentinelOne described Microsoft’s move as justified, pointing out that Chinese companies in MAPP cannot disregard the interests of their government. Analysts also noted that, given the unprecedented scrutiny of Chinese cyber operations, Microsoft had little choice but to act decisively.

The issue drew further attention after a report by the Tech Integrity Project, which claimed that some Chinese Microsoft partners were working on the campus of the National Cybersecurity Center in Wuhan alongside entities linked to China’s Ministry of State Security. Microsoft firmly denied any involvement with this center.

In effect, Microsoft is abandoning its earlier posture of trust toward certain foreign partners, curtailing the scope of vulnerability data it shares and tightening oversight of its distribution—an approach that underscores growing concerns over global cybersecurity risks.