Report an issue and submission guidelines
Frequently Asked Questions
Note: the guidance below assumes that you are doing research on your own behalf. If you discovered a vulnerability while doing work for another entity (such as during a pentesting engagement), please read the "I need to validate my pentest report" section and click here for additional info.
If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, please submit the report to MSRC at https://msrc.microsoft.com/create-report. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue. If the vulnerability you are reporting is from a penetration test, please work through your Microsoft Customer Support Services team who can help interpret the report and suggest remediations. If the report contains a novel security vulnerability, the Customer Support Services team can help connect you with MSRC or you can report that directly.
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- Product and version that contains the bug, or URL if for an online service
- Service packs, security updates, or other updates for the product you have installed
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue on a fresh install
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
- Triage your report and determine if we should open a case for a more in-depth investigation.
- Investigate and take action according to our published servicing criteria.
- Publicly acknowledge your contribution to protecting the ecosystem when we release a fix.
Pentests from scanners frequently produce false positives which do not constitute a security risk. Often pentest reported issues are related to software not being patched with the most current update. In addition, many issues are configuration related rather than a software vulnerability. It is a best practice to manually verify the issue reported first with the assistance of Microsoft Security Fundamentals and Microsoft Cybersecurity Reference Architecture.
The following are the steps for handling a pentest report:
- Conduct internal verification of issues listed in the pentest report.
- Make sure all software is up to date.
- Validate configuration and settings.
- Separate the report into individual issues and contact your Microsoft Technical Account Manager (TAM) and product specific support.
- After full investigation, for any issues that are determined to be software security vulnerabilities, file a report for each vulnerability with MSRC via the Researcher Portal.
If you need additional assistance independently verifying the pentest report, please contact your TAM or open a support case at https://serviceshub.microsoft.com/.
Product specific assistance should go through the respective support portals:
For Premier/Unified Support Customers:
- On Premise Technologies: https://serviceshub.microsoft.com/
- Office 365: https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=online
- Azure: https://docs.microsoft.com/azure/azure-portal/supportability/how-to-create-azure-support-request
- Dynamics: https://dynamics.microsoft.com/support/
For Non-Premier/Unified Support Customers:
- On Premise Technologies: https://support.microsoft.com/
- Azure Support: https://azure.microsoft.com/support/options/
- Office Support: https://support.office.com/
- Dynamics: https://dynamics.microsoft.com/support/
After investigation via the methods outlined above, if you believe you have uncovered a security vulnerability in a Microsoft product or solution, then please submit individual vulnerability reports separately to the MSRC via the Researcher Portal with the following information. Incomplete reports will not be accepted for investigation by the MSRC.
Description of the vulnerability
- Detailed steps required to consistently reproduce the issue
- Short explanation about how an attacker could use the information to exploit another user remotely
- Proof-of-concept (POC), such as relevant code samples, crash reports, a video recording, or screenshots. Video recording for steps to reproduce an issue: https://support.microsoft.com/help/22878/windows-10-record-steps
Please sign all sensitive information you send to us with this PGP key.
Thank you for submitting a vulnerability report to us. When you submit a vulnerability report to our case managers, we will generally respond within one business day confirming that it was received. Our teams work normal business hours Monday-Friday. If you don’t receive a response in two business days, please check your junk mail folder for a response.
What happens next?
- Triage: Our team determines if your report meets the definition of a security vulnerability and assigns it to the product engineering group. If you have opted in for automatic communications, you should receive a message from our triage team when your case is either closed as non-serviceable or needs further evaluation.
- Case Assignment and Assessment: If your report is determined to be a security vulnerability, it will be assigned a case number. A case manager will oversee its assessment and the creation of a plan to address the vulnerability.
- Assessment: If we reproduce your issue, we then evaluate the severity and impact, and send it off to our product engineers for further action. You should see your cases status in the portal switch to “assessment.” If you opted into receiving automatic communications, you should receive an email confirming the same. This process can take some time based on the complexity of the issue and the completeness of the report. Generally, you should receive an email when your case moves to the development stage which typically happens in a couple of weeks. If you do not hear back from us in that time, it’s possible our response is in your junk folder or the complexity of the issue is taking longer to evaluate.
- Develop: If we were able to reproduce your issue, we will send your case to the appropriate engineering group for further action. There are some cases that are not appropriate for immediate servicing and will be considered as a candidate to be addressed in a future release.
- Release: Cases in the Release state are in preparation for release. Sometimes this means they are awaiting official publication as part of our Patch Tuesday release, or other service update. After your case has been fixed and is in a Resolved state, congratulations! You are free to discuss your findings publicly. We will give you credit for your work (unless otherwise specified) on our Researcher Acknowledgements Page.
Please submit your thoughts at Contact Us.
The MSRC portals require login with a common social account such as Gmail or Microsoft Account as well as the Microsoft Corporate Active Directory (AD) tenant. They do not currently support other Azure Active Directory (AAD) tenant signings. Please check and confirm you are signing in with one of the approved accounts above.
Please submit feedback and feature ideas via the MSRC Portal support request form.
If none of these FAQ's help clarify or resolve your issue you may submit an MSRC Portal Support request. This will be triaged and managed with best effort based on available resourcing.