I'd argue it doesn't really matter, as I assume the US government is fully capable of creating a fully-built exploit out of a major software company's early disclosure of a vulnerability... And yes, I also assume they are using it to their full potential for surveillance (or put another way, unless someone told them explicitly not to, why wouldn't they?). And indeed, this is what the article itself hints at: this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments.
I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.
Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).
I think that when "Microsoft doesn’t ask and can’t be told how the government uses such tip-offs" the problems begin. I'd really like to believe what we're told - that the exploits/vulnerabilities were only used for software sold to foreign governments - but I'd be hard pressed to actually believe that foregoing any concrete proof. Again, unless someone explicitly says "no", they seem hell-bent on using anything they can for their own increased surveillance; domestic or otherwise.
Lastly, regarding MAPP, I think this is something entirely different they're hinting at. I see several things on the MAPP criteria [1] I doubt any intelligence agencies align with (Are you willing to have your company name and URL displayed on our MAPP website?, Do you provide active protection technology for Microsoft products and is your product commercially available?, and Do you sell or create products used to attack or weaken the security posture of networks or applications? are my favourites).
[1] http://www.microsoft.com/security/msrc/collaboration/mapp/cr...