> Microsoft does not have the in-house expertise to feed exploits to anyone.

I agree with you everywhere else in this thread, but you are clearly not up to speed on who works there if you believe that to be accurate. Some of the best exploit writers, who have pioneered new classes of techniques, work at Microsoft (because Microsoft went on a recruiting spree to target them).

I know who works there and believe my statement to be accurate; remember, we're talking about the total volume of all vulnerabilities discovered in Microsoft products.

If you are narrowing the scope of your claim to say that Microsoft doesn't have the expertise to write exploits for every version of every product affected by every vulnerability, ok, sure. That isn't what was suggested though, and isn't something any reasonable person would have implied.

Then again, the notion that Microsoft dedicates resources to serve as an outsourcing shop for NSA hackers to develop "cyber weapons" no longer has "reasonable person" anywhere on the horizon. That's not even worth entertaining, I just had to interject because I thought you were saying MS doesn't have good exploit writers ;)

I do think the MAPP equivalent for governments, probably as an unintended side effect, grants some advantage to parts of the .gov interested in attacking the products. How much, and whether or not they need it, is another story. But I agree that the NSA sure doesn't need their help - it's probably just a bit of free gravy if anything.

And in Microsoft's defense, it really wouldn't matter if they gave them to the NSA or not. The distribution list is very large, and the teams who ultimately receive that content are not vetted in any way.

I'm just questioning that they have enough exploit writers to keep up. I think (holy shit) that you and I mostly agree about this stuff.