Skip to main content
Rate:  

New Security Policy for Store Apps

Microsoft has announced a new policy to help ensure the security of apps that are available through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. The policy, which is effective immediately, requires developers to fix security vulnerabilities in their apps and enables Microsoft to remove an app from sale if the developer does not provide an effective fix. The requirement applies to all apps available in the online stores, including Microsoft apps.


The new policy is part of a Microsoft effort to help ensure that customers can have confidence in the security of the software that is available in our online stores. This confidence includes trusting that developers will respond appropriately when a security vulnerability is discovered. Microsoft has a long history of working with third-party developers and researchers to resolve security vulnerabilities. When Microsoft researchers find vulnerabilities in apps, we work directly with app developers through the Microsoft Vulnerability Research program. So far, we have had excellent cooperation from developers in fixing vulnerabilities in their programs. The policy change is just one more step that we are taking to help ensure that vulnerabilities are addressed appropriately.


Under the policy, developers will have a maximum of 180 days to submit an updated app for security vulnerabilities that are not under active attack and are rated Critical or Important according to the Microsoft Security Response Center rating system. The updated app must be submitted to the store within 180 days of the first report that reproduces the issue. Microsoft reserves the right to take swift action in all cases, which may include immediate removal of the app from the store, and will exercise its discretion on a case-by-case basis.


We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline. However, Microsoft may make exceptions, such as when issues affect multiple developers or are architectural in nature, where such action is prohibited by law, or at Microsoft’s discretion. This policy does not modify existing developer agreements and Microsoft may remove apps for other reasons according to those agreements.


If you have discovered a vulnerability in a store application and have unsuccessfully attempted to work with the developer to address it, you can request assistance by contacting secure@microsoft.com.


Featured Download

Get inside information on how we manage vulnerabilities to help protect our customers.

MSRC Blogs

Microsoft Security :: Microsoft Announces New Security Policy for Windows Apps

BlueHat Archive

See past BlueHat Sessions

BlueHat v12

BlueHat v11

BlueHat v10

BlueHat v9

BlueHat v8