PRISM—whatever it is in all exactness—is far from the only way Microsoft tips off the American defense apparatus. Sometimes, Bloomberg says, it's just as simple as telling the feds what's broken.

Microsoft wares have long been skewered for bugginess, fairly or not, and the US knows better than anyone:

Redmond, Washington-based and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials. Microsoft doesn’t ask and can’t be told how the government uses such tip-offs, said the officials, who asked not to be identified because the matter is confidential.

"Doesn't ask and can't be told" might be the perfect slogan when it comes to Silicon Valley's spook collaboration.

Update: Frank Shaw, Microsoft's head of corporate communications, wrote in with the following:


Microsoft has several programs through which we disclose information regarding vulnerabilities, some of which have government participants. Prior to any fix being released to the ~1B computers that receive automatic security updates each month, Microsoft communicates with program participants after our engineering cycle is completed to ensure delivery of the most current information. While timing varies slightly each month, disclosure takes place just prior to our security update for billions of customers.

One example, is our Microsoft Active Protections Program (MAPP), which supplies Microsoft vulnerability information to security software partners prior to Microsoft's monthly security update release so partners can build enhanced customer protections. Another example of information disclosure, is through the Defensive Information Sharing Program (DISP), which is open to agencies, individual departments and ministries of national and local government that are also members of both the Government Security Program (GSP) and the Security Cooperation Program (SCP). Membership into the DISP program provides key technical information on security vulnerabilities prior to the security update being publically available in order to get an early start on the risk assessment & mitigation process for national assets. This allows members more time to prioritize creating and disseminating authoritative guidance for increasing network protections.