Blog Post

Windows IT Pro Blog
2 MIN READ

What is the Security Update Validation Program?

Dawn Thomas's avatar
Dawn Thomas
Icon for Microsoft rankMicrosoft
Oct 22, 2018

The Security Update Validation Program (SUVP) is a quality assurance testing program for Microsoft security updates, which are released on the second Tuesday of each month. The SUVP provides early access to Microsoft security updates—up to three weeks in advance of the official release—for the purpose of validation and interoperability testing. The program encompasses any Microsoft products for which we fix a vulnerability (e.g. Windows, Office, Exchange, or SQL Server) and is limited to trusted customers under NDA who have been nominated by a Microsoft representative.

The purpose of the SUVP is to validate Microsoft security updates against participants’ own test images and infrastructures as well as their line of business, third-party, and in-house apps. Issues found prior to public release are quickly escalated through the SUVP directly to the product teams and product managers or engineers that would need to be involved in authoring the fix. This enables rapid root cause analysis (RCA) and remediation, and fixes can be quickly validated with the reporting partner. To protect the confidentiality of privately reported vulnerability information, SUVP participants are not given vulnerability details and are contractually disallowed from reverse engineering the updates or otherwise verifying the effectiveness of the security measures being implemented.

The benefit of participating in the SUVP program is the ability to identify issues that would impact your business before Microsoft security updates are released broadly. Once identified, issues are quickly triaged and mitigated to the extent possible. This, in turn, allows you to keep your production Windows machines (or those of your customers) secure and up-to-date each month without concerns about regressions in functionality.

To be considered for participation in the SUVP, please have your Microsoft representative reach out to SUVP Onboarding at SUVPRecruit@microsoft.com to submit a nomination. The program requires that participants sign a SUVP contract and have an active Azure Active Directory (Azure AD) tenant to enable distribution of content via Microsoft Collaborate.

Updated Oct 22, 2018
Version 2.0
security
  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor
    Jul 22, 2021

    It would have been nice, like if there was a website and the participators would have been login with their Azure AD and sign up and fill up the form. Asking them to send an email is a traditional way and having a dedicated website to do this would be more professional and in this case only those with Azure AD would be able to participate and this would eliminate disqualified candidates.

    In addition, I am wondering how you would guarantee, they won't abuse the vulnerability?

  • Logen_S's avatar
    Logen_S
    Icon for Microsoft rankMicrosoft
    Jul 22, 2021

    Hi, like to hear more information on this program. 1 of my customer is interested. Thank you.

  • Euphorie's avatar
    Euphorie
    Copper Contributor
    Dec 03, 2018

    Hello i remember when monthly rollups were introduced to Windows 7, it was told, that on 3rd tuesday of the month reliability and bug fixes can be tested and security fixes are included together with following patchday (2nd tuesday). It was told, that it is exactly how it already works for Windows 10.

     

    Now here you are speaking about security updates, which can be tested on 3rd tuesday, is it new change or was it this way before? Also are reliability and bug fixes included on 3rd tusday aswell? 

     

     

  • SusanBradleyGeek's avatar
    SusanBradleyGeek
    MVP
    Nov 14, 2018

    Not exactly. You get the security updates (second Tuesday patches) a week or two ahead of time and you test it on sample machines.  Especially if you have funky LOB software that gets broken with updating this can help you - and Microsoft - identify issues ahead of time.  You don't push these updates out to all of your workstations, it's a test bed ahead of the normal second Tuesday.   You aren't testing new features, merely ensuring that we all get quality updates on patch (security) Tuesday.

  • Drew_Davis's avatar
    Drew_Davis
    Brass Contributor
    Nov 14, 2018

    Is this like a "Windows Insider" type option for Windows Updates? If so, can you explain the scenarios for this use?

    • Zer0nv's avatar
      Zer0nv
      Icon for Microsoft rankMicrosoft
      Mar 12, 2025

      SusanBradleyGeek  answered it quite nicely just above your post.

      The short answer is yes. I can affirm that I have had many large customer accounts who use it just as described by Susan, and they LOVE it.