Report a Security Vulnerability

The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products and services. If you are a security researcher and believe you have found a Microsoft security vulnerability, we would like to work with you to investigate it; please see "I need to report a possible security vulnerability to Microsoft." below.

Please note that the Microsoft Security Response Center does not provide technical support for Microsoft products. If you need assistance with something other than reporting a possible security vulnerability, please see the statement below the most closely matches your situation and expand the statement for next steps.

I suspect another individual is using my Passport or Hotmail account without my permission.

Please complete the Passport support form on the Helpful Information for Microsoft Passport Network page.

I have forgotten my Passport or Hotmail password or cannot log in to my account.

Please complete the Passport support form on the Helpful Information for Microsoft Passport Network page.

I believe my computer has been attacked or has a virus, worm, trojan horse, spyware, or other malware.

As a first step, you should allow your antivirus software to scan and attempt to repair your computer. Additionally, you may want to try the following Microsoft tools:

You should also ensure your computer has all the security updates available at Microsoft Update.

If you continue to have trouble, you can obtain free malware-related support from Microsoft Product Support Services by calling +1 (866) PC-SAFETY (+1 (866) 727-2338) in the U.S. and Canada, or at your local international subsidiary.

I am having trouble installing a Microsoft security update, or experienced issues after installing a Microsoft security update.

You can obtain free security-related support from Microsoft Product Support Services by calling +1 (866) PC-SAFETY (+1 (866) 727-2338) in the U.S. and Canada, or at your local international subsidiary.

I am experiencing technical issues with a Microsoft product.

Please contact Microsoft Product Support Services. You may also want to try posting a message to our free support newsgroups. See Microsoft Product Support Newsgroups for more information.

I need to verify whether an e-mail purportedly from Microsoft is genuine.

Please read "How to tell whether a Microsoft security-related e-mail message is genuine."

I would like to report pirated Microsoft software.

Please send e-mail to piracy@microsoft.com, or visit the Microsoft Software Piracy Protection site for more information.

I want to submit a malware sample to Microsoft.

Please send your virus, worm, or trojan horse submission to avsubmit@submit.microsoft.com. Send your spyware or other malware submission to windefend@submit.microsoft.com.

I would like to report a bug in a Microsoft product.

Please visit the Contact Us page for more information.

I would like to offer general feedback on a Microsoft product.

Please submit your thoughts at Contact Us: Questions About Microsoft Products.

I need to report a possible security vulnerability to Microsoft.

If you are a security researcher and believe you have found a security vulnerability that meets the definition of a security vulnerability that is not resolved by the 10 Immutable Laws of Security, please send e-mail to us at secure@microsoft.com with as much of the below information as possible. This information will help us to better understand the nature and scope of the possible issue.

Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
Product and version that contains the bug
Service packs, security updates, or other updates for the product you have installed
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue on a fresh install
Proof-of-concept or exploit code
Impact of the issue, including how an attacker could exploit the issue

To encrypt your message to our PGP key, please download it from the Microsoft Security Response Center PGP Key.

You should receive a response within 24 hours. If for some reason you do not, please follow up with us to ensure we received your original message.

For further information, please visit the Microsoft Security Response Policy and Practices page and read the Acknowledgment Policy for Microsoft Security Bulletins.

I would like to report a security vulnerability in an online service to Microsoft Online Services.

If you have found a security vulnerability in any of Microsoft’s online services, please send e-mail to secure@microsoft.com. We will respond to your submission within 24 hours and start working right away to remediate the vulnerability. To help our engineers identify the potential vulnerability, please include as much information in your report as possible. For example, include the following:

Proof-of-concept and/or URL demonstrating the vulnerability
Type of issue (cross-site scripting, buffer overflow, SQL injection, etc.)
Any special configuration required to reproduce the issue
Impact of the issue, including how an attacker could exploit the issue

To encrypt your message to our PGP key, please go to the Microsoft Security Response Center PGP Key and S/MIME Certificate page for further information.