The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products and services. If you are a security researcher and believe you have found a Microsoft security vulnerability, we would like to work with you to investigate it.

Please note that the Microsoft Security Response Center does not provide technical support for Microsoft products. If you need assistance with something other than reporting a possible security vulnerability, please see the statement below that most closely matches your situation and expand the statement for next steps.
|

Note: the guidance below assumes that you are doing research on your own behalf. If you discovered a vulnerability while doing work for another entity (such as during a pentesting engagement), please click here.

If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, please submit the report to MSRC at https://msrc.microsoft.com/create-report. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue. If the vulnerability you are reporting is from a penetration test, please work through your Microsoft Customer Support Services team who can help interpret the report and suggest remediations.  If the report contains a novel security vulnerability, the Customer Support Services team can help connect you with MSRC or you can report that directly.
  • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
  • Product and version that contains the bug, or URL if for an online service
  • Service packs, security updates, or other updates for the product you have installed
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue on a fresh install
  • Proof-of-concept or exploit code
  • Impact of the issue, including how an attacker could exploit the issue
This information will help us triage the report more quickly. If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty page for more details and terms of our active bounty programs.
 
You should receive a response from our team within 1 business day. If you don’t hear from us, please follow up to confirm we received your original message.  
 
The Microsoft Security Response Center follows these processes for all vulnerability reports: 
  • Triage your report and determine if we should open a case for a more in-depth investigation.  
  • Investigate and take action according to our published servicing criteria.  
  • Publicly acknowledge your contribution to protecting the ecosystem when we release a fix. 
Microsoft follows Coordinated Vulnerability Disclosure (CVD) and, to protect the ecosystem, we request that those reporting to us do the same.

Thank you for submitting a vulnerability report to us.  When you submit a vulnerability report to our case managers, we will generally respond within one business day confirming that it was received. Our teams work normal business hours Monday-Friday.  If you don’t receive a response in two business days, please check your junk mail folder for a response. 

 

What happens next? 

  • Triage: Our team determines if your report meets the definition of a security vulnerability and assigns it to the product engineering group. If you have opted in for automatic communications, you should receive a message from our triage team when your case is either closed as non-serviceable or needs further evaluation. 
  • Case Assignment and Assessment: If your report is determined to be a security vulnerability, it will be assigned a case number.  A case manager will oversee its assessment and the creation of a plan to address the vulnerability.  
  • Assessment: If we reproduce your issue, we then evaluate the severity and impact, and send it off to our product engineers for further action. You should see your cases status in the portal switch to “assessment.” If you opted into receiving automatic communications, you should receive an email confirming the same. This process can take some time based on the complexity of the issue and the completeness of the report. Generally, you should receive an email when your case moves to the development stage which typically happens in a couple of weeks.  If you do not hear back from us in that time, it’s possible our response is in your junk folder or the complexity of the issue is taking longer to evaluate.  
  • Develop: If we were able to reproduce your issue, we will send your case to the appropriate engineering group for further action. There are some cases that are not appropriate for immediate servicing and will be considered as a candidate to be addressed in a future release. 
  • Release: Cases in the Release state are in preparation for release.  Sometimes this means they are awaiting official publication as part of our Patch Tuesday release, or other service update.  After your case has been fixed and is in a Resolved state, congratulations! You are free to discuss your findings publicly. We will give you credit for your work (unless otherwise specified) on our Researcher Acknowledgements Page.

If your Outlook.com account has been compromised, you can take action to recover your account and prevent it from being hacked again.

Visit the Windows Support site to learn how to handle forgotten passwords and other sign-in problems.

If your computer is showing symptoms of spyware, viruses, or other unwanted software, you should first let your antivirus software scan your computer and try to fix the problem.

You should also ensure that your computer has all the latest security updates from Microsoft Update, and that you are getting security updates automatically.

If you continue to have trouble, you can find additional support options by visiting the Virus and Security Solution Center.

if you’re having issues with Microsoft security updates, you can visit the Microsoft Support site to find fixes for Windows Update issues, or contact Microsoft customer support.
 
 
If you need technical information about security updates, please refer to the Security Update Guide, where you can search for information about a specific update or filter by release date and/or product range.
 

To find the appropriate support information for your location, visit Microsoft Product Support Services.

See the Forums home page on TechNet to browse questions and answers, or ask your own question.

Cybercriminals often use phishing email messages to try to steal personal information. Learn how to recognize what a phishing email message looks like and how to avoid scams that use the Microsoft name fraudulently.

To learn about the latest scams, browse through the Security Tips & Talk blog posts.

If you think you’ve been the victim of a scam, find out how you can report it and protect yourself in the future.

Please send e-mail to piracy@microsoft.com, or visit the Microsoft Software Piracy Protection site for more information.

Please send your virus, worm, or trojan horse submission to avsubmit@submit.microsoft.com. Send your spyware or other malware submission to windefend@submit.microsoft.com.

Please visit the Microsoft Support page for more information.
 

Please submit your thoughts at Contact Us: Questions About Microsoft Products.