If you believe you have found a security vulnerability, please e-mail us at secure@microsoft.com with as much of the below information as possible. This information will help us better understand the nature and scope of the possible issue.
  • Type of issue (cross-site scripting, SQL injection, etc.)
  • Any special configuration required to reproduce the issue
  • Proof-of-concept / URL demonstrating the vulnerability
  • Impact of the issue, including how an attacker could exploit the issue
  • To encrypt your message to our PGP key, please download it from the Microsoft Security Response Center PGP Key.
You should receive a response within 24 hours. If for some reason you do not, please follow up with us to ensure we received your original message.
For further information, please visit the Microsoft Security Response Policy and Practices and read the Acknowledgment Policy for Microsoft Security Bulletins.

Traditionally, administrators install, manage, and support software on a local computing device within an organization’s environment. For example, Microsoft Word resides on a personal computer. Administrators also manage the operation, upkeep, and maintenance of Word.

By contrast, with online services, a critical portion of the software generally resides with a service provider outside the local computer. This does not mean all the software resides with the service provider; there may be some software local to the personal computer that delivers the value of the online service or enhances the user experience. The common theme among online services is that users derive a significant portion of the value of the software by accessing the service provider’s systems remotely. Another key aspect of online services is that the service provider is responsible for managing the operation, upkeep and maintenance of the software. With Microsoft online services, Microsoft is the service provider that hosts and manages the software for you.

Online services security vulnerabilities are issues that may allow an attacker to misuse a web application via methods such as cross-site scripting, SQL injections, etc.

We want online services security researchers to know that we respect and appreciate their contribution to the security of Microsoft’s web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats.

Security bulletins are a "call-to-action" from the Microsoft Security Response Center and generally include mitigations, workarounds, and vulnerability details that customers can use to help protect themselves. They also include security update information that will help customers verify their status. Because Microsoft fixes online services vulnerabilities on our side, there is generally no call-to-action for customers and generally no security bulletin.

You only have to submit one Microsoft-verified security vulnerability for Microsoft to add your name to the acknowledgment page.

Microsoft will not pursue legal action against security researchers that submit potential online services security vulnerabilities through coordinated vulnerability disclosure.

Online services security researchers are able to query the site for submission history and in future versions we intend to make the query process more comprehensive.

When closing the MSRC Security investigation, Microsoft will send the researcher a case closure email asking whether to publish the researcher’s name on the online services security researcher acknowledgment page.