Microsoft Online Services Acknowledgments
Frequently Asked Questions
- Type of issue (cross-site scripting, SQL injection, etc.)
- Any special configuration required to reproduce the issue
- Proof-of-concept / URL demonstrating the vulnerability
- Impact of the issue, including how an attacker could exploit the issue
- To encrypt your message to our PGP key, please download it from the Microsoft Security Response Center PGP Key.
Online services security vulnerabilities are issues that may allow an attacker to misuse a web application via methods such as cross-site scripting, SQL injections, etc.
We want online services security researchers to know that we respect and appreciate their contribution to the security of Microsoft’s web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats.
Security bulletins are a "call-to-action" from the Microsoft Security Response Center and generally include mitigations, workarounds, and vulnerability details that customers can use to help protect themselves. They also include security update information that will help customers verify their status. Because Microsoft fixes online services vulnerabilities on our side, there is generally no call-to-action for customers and generally no security bulletin.
You only have to submit one Microsoft-verified security vulnerability for Microsoft to add your name to the acknowledgment page.
Microsoft will not pursue legal action against security researchers that submit potential online services security vulnerabilities through coordinated vulnerability disclosure.
Online services security researchers are able to query the site for submission history and in future versions we intend to make the query process more comprehensive.
When closing the MSRC Security investigation, Microsoft will send the researcher a case closure email asking whether to publish the researcher’s name on the online services security researcher acknowledgment page.