.NET Security Group: Partner companies receive security patches early

Microsoft has announced an expansion of the .NET Security Group. Previously, this operated as a private group and was only accessible by invitation. However, companies that ship their distribution of .NET can now apply for membership – and benefit from being informed about recognized security vulnerabilities and receiving patches earlier than the public.

The .NET Security Group, with current members Canonical, IBM, Red Hat, and Microsoft, has existed since 2016. The .NET project, led by Microsoft, publishes information on known security vulnerabilities and fixes in most months on Patch Tuesday – so also this month. However, members of the .NET Security Group are informed about known threats about a week earlier and receive corresponding patches, allowing them to build, validate, and release their binary packages at the same time as Microsoft.

Heise Conference on .NET 10.0

Improved classes in .NET 10.0, Native AOT with Entity Framework Core 10.0, and more: .NET professionals will inform you about these topics at the online conference betterCode() .NET 10.0 on November 18, 2025. Subsequently, there will be six full-day workshops on topics such as C# 14.0, artificial intelligence, and web APIs.

Membership Requires Trust

As Microsoft emphasizes on its developer blog stresses, the sensitive information requires a high degree of trust in the partners within the .NET Security Group. After companies have submitted the application form, a review of potential new members takes place, which usually takes several days to weeks based on the scope of the submitted information. Criteria include company authenticity, security risks, and possible trade sanctions. Microsoft reviews the members annually and may request further information.

Admitted members must sign a program agreement regarding the terms of membership and additionally a Non-Disclosure Agreement (NDA) with Microsoft if one is not already in place.

(mai)