The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products and services. If you are a security researcher and believe you have found a Microsoft security vulnerability, we would like to work with you to investigate it.

Please note that the Microsoft Security Response Center does not provide technical support for Microsoft products. If you need assistance with something other than reporting a possible security vulnerability, please see the statement below that most closely matches your situation and expand the statement for next steps.
|

Note: the guidance below assumes that you are doing research on your own behalf. If you discovered a vulnerability while doing work for another entity (such as during a pentesting engagement), please read the "I need to validate my pentest report" section and click here for additional info.

If you believe you have found a security vulnerability that meets Microsoft's definition of a security vulnerability, please submit the report to MSRC at https://msrc.microsoft.com/create-report. Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue. If the vulnerability you are reporting is from a penetration test, please work through your Microsoft Customer Support Services team who can help interpret the report and suggest remediations.  If the report contains a novel security vulnerability, the Customer Support Services team can help connect you with MSRC or you can report that directly.

  • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
  • Product and version that contains the bug, or URL if for an online service
  • Service packs, security updates, or other updates for the product you have installed
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue on a fresh install
  • Proof-of-concept or exploit code
  • Impact of the issue, including how an attacker could exploit the issue
This information will help us triage the report more quickly. If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty page for more details and terms of our active bounty programs.
 
You should receive a response from our team within 1 business day. If you don’t hear from us, please follow up to confirm we received your original message.  
 
The Microsoft Security Response Center follows these processes for all vulnerability reports: 
  • Triage your report and determine if we should open a case for a more in-depth investigation.  
  • Investigate and take action according to our published servicing criteria.  
  • Publicly acknowledge your contribution to protecting the ecosystem when we release a fix. 
Microsoft follows Coordinated Vulnerability Disclosure (CVD) and, to protect the ecosystem, we request that those reporting to us do the same.

Pentests from scanners frequently produce false positives which do not constitute a security risk. Often pentest reported issues are related to software not being patched with the most current update. In addition, many issues are configuration related rather than a software vulnerability. It is a best practice to manually verify the issue reported first with the assistance of Microsoft Security Fundamentals and Microsoft Cybersecurity Reference Architecture.  

 The following are the steps for handling a pentest report: 

  1. Conduct internal verification of issues listed in the pentest report. 
  2. Make sure all software is up to date. 
  3. Validate configuration and settings. 
  4. Separate the report into individual issues and contact your Microsoft Technical Account Manager (TAM) and product specific support. 
  5. After full investigation, for any issues that are determined to be software security vulnerabilities, file a report for each vulnerability with MSRC via the Researcher Portal.  

If you need additional assistance independently verifying the pentest report, please contact your TAM or open a support case at https://serviceshub.microsoft.com/. 

Product specific assistance should go through the respective support portals:   

For Premier/Unified Support Customers: 

  For Non-Premier/Unified Support Customers: 

After investigation via the methods outlined above, if you believe you have uncovered a security vulnerability in a Microsoft product or solution, then please submit individual vulnerability reports separately to the MSRC via the Researcher Portal with the following information. Incomplete reports will not be accepted for investigation by the MSRC.   

    Description of the vulnerability 

  • Detailed steps required to consistently reproduce the issue  
  • Short explanation about how an attacker could use the information to exploit another user remotely  
  • Proof-of-concept (POC), such as relevant code samples, crash reports, a video recording, or screenshots. Video recording for steps to reproduce an issue: https://support.microsoft.com/help/22878/windows-10-record-steps 

Please sign all sensitive information you send to us with this PGP key.

Thank you for submitting a vulnerability report to us.  When you submit a vulnerability report to our case managers, we will generally respond within one business day confirming that it was received. Our teams work normal business hours Monday-Friday.  If you don’t receive a response in two business days, please check your junk mail folder for a response. 

 

What happens next? 

  • Triage: Our team determines if your report meets the definition of a security vulnerability and assigns it to the product engineering group. If you have opted in for automatic communications, you should receive a message from our triage team when your case is either closed as non-serviceable or needs further evaluation. 
  • Case Assignment and Assessment: If your report is determined to be a security vulnerability, it will be assigned a case number.  A case manager will oversee its assessment and the creation of a plan to address the vulnerability.  
  • Assessment: If we reproduce your issue, we then evaluate the severity and impact, and send it off to our product engineers for further action. You should see your cases status in the portal switch to “assessment.” If you opted into receiving automatic communications, you should receive an email confirming the same. This process can take some time based on the complexity of the issue and the completeness of the report. Generally, you should receive an email when your case moves to the development stage which typically happens in a couple of weeks.  If you do not hear back from us in that time, it’s possible our response is in your junk folder or the complexity of the issue is taking longer to evaluate.  
  • Develop: If we were able to reproduce your issue, we will send your case to the appropriate engineering group for further action. There are some cases that are not appropriate for immediate servicing and will be considered as a candidate to be addressed in a future release. 
  • Release: Cases in the Release state are in preparation for release.  Sometimes this means they are awaiting official publication as part of our Patch Tuesday release, or other service update.  After your case has been fixed and is in a Resolved state, congratulations! You are free to discuss your findings publicly. We will give you credit for your work (unless otherwise specified) on our Researcher Acknowledgements Page.

If your Outlook.com account has been compromised, you can take action to recover your account and prevent it from being hacked again.

Visit the Windows Support site to learn how to handle forgotten passwords and other sign-in problems.

If your computer is showing symptoms of spyware, viruses, or other unwanted software, you should first let your antivirus software scan your computer and try to fix the problem.
 
You should also ensure that your computer has all the latest security updates from Microsoft Update, and that you are getting security updates automatically.
 
If you continue to have trouble, you can find additional support options by visiting the Microsoft Security services page.
 

If you’re having issues with Microsoft security updates, you can visit the Microsoft Support site to find fixes or contact the support team.
 
If you need technical information about security updates, please refer to the Security Update Guide, where you can search for information about a specific update or filter by release date and/or product range.
 

To find the appropriate support information for your location, visit Microsoft Product Support Services.
 
 

Cybercriminals often use phishing email messages to try to steal personal information. Learn how to recognize what a phishing email message looks like and how to avoid scams that use the Microsoft name fraudulently.

To learn about the latest scams, browse through the Security Tips & Talk blog posts.

If you think you’ve been the victim of a scam, find out how you can report it and protect yourself in the future.

Please send e-mail to piracy@microsoft.com, or visit the Microsoft Software Piracy Protection site for more information.

You can send us files that you think might be malware or files that have been incorrectly detected through the sample submission portal.

Please visit the Microsoft Support page for more information.
 

Please submit your thoughts at Contact Us.

The MSRC portals require login with a common social account such as Gmail or Microsoft Account as well as the Microsoft Corporate Active Directory (AD) tenant. They do not currently support other Azure Active Directory (AAD) tenant signings. Please check and confirm you are signing in with one of the approved accounts above.

Please submit feedback and feature ideas via the MSRC Portal support request form.

If none of these FAQ's help clarify or resolve your issue you may submit an MSRC Portal Support request. This will be triaged and managed with best effort based on available resourcing.