|
Note: the guidance below assumes that you are doing research on your own behalf. If you discovered a vulnerability while doing work for another entity (such as during a pentesting engagement), please read the "I need to validate my pentest report" section andclick herefor additional info.
If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, please submit the report to MSRC at https://msrc.microsoft.com/create-report. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue.If the vulnerability you are reporting is from a penetration test, please work through your Microsoft Customer Support Services team who can help interpret the report and suggest remediations. If the report contains a novel security vulnerability, the Customer Support Services team can help connect you with MSRC or you can report that directly.
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Product and version that contains the bug, or URL if for an online service
- Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue on a fresh install
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
This information will help us triage the report more quickly. If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty page for more details and terms of ouractive bounty programs.
You should receive a response from our team within 1 business day. If you don’t hear from us, please follow up to confirm we received your original message.
The Microsoft Security Response Center follows these processes for all vulnerability reports:
- Triage your report and determine if we should open a case for a more in-depth investigation.
- Investigate and take action according to our published servicing criteria.
- Publicly acknowledge your contribution to protecting the ecosystem when we release a fix.
Microsoft follows Coordinated Vulnerability Disclosure (CVD) and, to protect the ecosystem, we request that those reporting to us do the same.
Pentestsfrom scanners frequently produce false positives which do not constitute a security risk. Oftenpentestreported issues are related to software not being patched with the most current update.In addition,many issues are configuration related rather thana softwarevulnerability. It is a best practice to manually verify the issue reported first with the assistance ofMicrosoft Security FundamentalsandMicrosoft Cybersecurity Reference Architecture.
The following are the steps for handling apentestreport:
- Conduct internal verification of issues listed in thepentestreport.
- Make sure all softwareisup to date.
- Validateconfiguration and settings.
- Separate the report into individual issues and contact your Microsoft Technical Account Manager(TAM)and product specific support.
- After full investigation,for anyissuesthatare determined to be software security vulnerabilities, file a reportforeach vulnerabilitywithMSRC via theResearcher Portal.
If you need additional assistance independently verifying thepentestreport, please contact your TAM or open a support case athttps://serviceshub.microsoft.com/.
Product specific assistance should go through the respective support portals:
For Premier/Unified Support Customers:
- On Premise Technologies:https://serviceshub.microsoft.com/
- Office 365:
- Azure:https://docs.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request
- Dynamics:https://dynamics.microsoft.com/support/
For Non-Premier/Unified Support Customers:
- On Premise Technologies:https://support.microsoft.com/
- Azure Support:https://azure.microsoft.com/support/options/
- Office Support:https://support.office.com/
- Dynamics:https://dynamics.microsoft.com/support/
After investigationvia the methods outlined above, if you believe you have uncovered a security vulnerability in a Microsoft product or solution, then please submit individual vulnerability reports separately to the MSRC via theResearcher Portalwith the following information.Incomplete reports will not be accepted for investigation bythe MSRC.
Description of the vulnerability
- Detailed steps required to consistently reproduce the issue
- Short explanationabouthow an attacker could use the information to exploit another user remotely
- Proof-of-concept (POC), such as relevant code samples, crash reports, a video recording,orscreenshots.Video recording for steps to reproduce an issue:https://support.microsoft.com/help/22878/windows-10-record-steps
Please sign all sensitive information you send to us with this PGP key.
Thank you for submitting a vulnerability report to us. When you submit a vulnerability report to our case managers, we will generally respondwithin one business day confirmingthat it was received. Our teams work normalbusiness hoursMonday-Friday.If you don’t receive a responsein two business days, please check your junk mail folderfor a response.
What happens next?
- Triage: Our team determines if your reportmeets the definition of asecurity vulnerabilityandassignsit to theproduct engineering group.If you have opted in for automatic communications, you should receive a message from our triage teamwhen your case iseitherclosed as non-serviceable orneedsfurther evaluation.
- Case Assignment and Assessment: If your reportis determined to be a security vulnerability, it will be assigned a case number.Acasemanager will oversee itsassessmentand the creation of a plan to address the vulnerability.
- Assessment: If wereproduce your issue, we then evaluate the severity and impact,and send it off to our product engineers for further action. You should see your cases status in the portal switch to“assessment.”If you opted into receiving automatic communications, you shouldreceive an email confirming the same. This process can take some time based on the complexity of the issue and the completeness of the report. Generally, you should receive an email when your case moves to the development stagewhich typically happens in a couple of weeks. If you do not hear back from usinthat time, it’s possibleour response is in your junk folder or the complexity of the issue is taking longer to evaluate.
- Develop: If we were able to reproduce your issue, we will send your case to the appropriate engineering group for further action. There are some cases thatare not appropriatefor immediateservicing andwill beconsidered as a candidate to beaddressed in a future release.
- Release:Cases in theRelease state are in preparation for release. Sometimes this means they are awaiting official publication as part of our Patch Tuesday release, or other service update. Afteryour case has been fixedand is in a Resolved state,congratulations!You are free to discuss your findings publicly. We will give you credit for your work (unless otherwise specified) on our Researcher Acknowledgements Page.
If your Outlook.com account has been compromised, you can take action to recover your account and prevent it from being hacked again.
Visit the Windows Support site to learn how to handle forgotten passwords and other sign-in problems.
If your computer is showing symptoms of spyware, viruses, or other unwanted software, you should first let your antivirus software scan your computer and try to fix the problem.
You should also ensure that your computer has all the latest security updates from Microsoft Update, and that you are getting security updates automatically.
If you continue to have trouble, you can find additional support options by visiting the Microsoft Security services page.
If you’re having issues with Microsoft security updates, you can visit the Microsoft Support site to find fixes or contact the support team.
If you need technical information about security updates, please refer to the Security Update Guide, where you can search for information about a specific update or filter by release date and/or product range.
To find the appropriate support information for your location, visit Microsoft Product Support Services.
See the Microsoft Community site to browse questions and answers, or to ask your own question.
Cybercriminals often use phishing email messages to try to steal personal information. Learn how to recognize what a phishing email message looks like and how to avoid scams that use the Microsoft name fraudulently.
To learn about the latest scams, browse through the Security Tips & Talk blog posts.
If you think you’ve been the victim of a scam, find out how you can report it and protect yourself in the future.
Please send e-mail to piracy@microsoft.com, or visit the Microsoft Software Piracy Protection site for more information.
You can send us files that you think might be malware or files that have been incorrectly detected through thesample submission portal.
Please visit the Microsoft Support page for more information.
Please submit your thoughts at Contact Us.
The MSRC portals require login with a common social account such as Gmail or Microsoft Account as well as the Microsoft Corporate Active Directory (AD) tenant. They do not currently support other Azure Active Directory (AAD) tenant signings. Please check and confirm you are signing in with one of the approved accounts above.
Please submit feedback and feature ideas via the MSRC Portal support request form.
If none of these FAQ's help clarify or resolve your issue you may submit an MSRC Portal Support request. This will be triaged and managed with best effort based on available resourcing.
