At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One way we achieve this is by working with security researchers to identify and fix security vulnerabilities in our services and products that could pose a threat to our customers. Many researchers report these types of issues to many different companies, and how these companies manage their process for receiving, assessing, and fixing these issues can vary considerably. We want to share how our process works, what you can do to help us speed up your submission through our process when reporting security vulnerabilities to Microsoft, and what to expect afterwards.
Before you submit a report, please check whether the issue you’re reporting meets the definition of a security vulnerability. Once you have confirmed that your submission meets Microsoft’s security service definition, go to our Researcher Portal and log in to report it. If you do not yet have an account, you will have the option of creating one at that time.
Using our portal provides the best experience for fast and easy collaboration between researchers and the MSRC. The Researcher Portal provides a secure and guided way for you to provide the necessary information for us to quickly reproduce the issue, respond to your report, and ultimately fix the vulnerabilities that may cause a threat. The portal will also help guide you in writing a complete and high-quality report. High-quality reports will help us provide you with the fastest response and may help you qualify for higher bug bounty rewards.
If you have found multiple security vulnerabilities, please create a separate submission for each issue. This will help us provide you a faster response and resolution for each report.
Here’s what you can expect to happen after you submit a vulnerability:
Triage: Our team will check that your report is a security vulnerability and will then assign it to the relevant product engineering team. This typically takes up to two U.S. business days. If you have opted-in for automatic communications, you will receive a message from our triage team when the case is either closed as non-serviceable or requires further evaluation. During this process, your submission will be labeled as “New” in the portal.
Case Assignment: If the security vulnerability you reported meets our servicing criteria it will be assigned a case number and a case manager. Your case manager will oversee the case assessment, the creation of a plan to address the vulnerability, and answer any questions you may have along the way.
Review/Reproduce: Our team will attempt to reproduce the reported issue and evaluate the severity and security impact. During this process, your submission will be labeled as “Review/Repro” in the portal. This work can take from a few days to up to two weeks, depending on the details you provided in your report and the complexity of the issue. We appreciate all reports and work to reproduce every issue with the provided information. However, there are instances where we are unable to proceed with our investigation and address the issue without additional information. In such situations, a case manager may contact you to request additional details. We kindly ask that you respond within three U.S. business days to ensure that we can provide you and Microsoft customers with as rapid a case remediation as possible.
If your case is assessed as important or critical severity, we will send it to the appropriate product engineering team to fix. If it is assessed as low or moderate severity, by design, or an issue we have determined we will not fix, your case will not move forward to the development stage. Instead, your case manager will contact you to inform you of this decision and your case will be closed. After your case has been closed in this stage, its state will show as “Complete” in the portal. A status of “Complete” for this scenario does NOT indicate that the reported vulnerability has been fixed.
Developing a fix: This stage typically takes the longest of any while we prepare a fix and coordinate with our release teams. Reports in this state are labeled as “Develop” in the Researcher Portal. Our case managers maintain regular contact with the product engineering team during this stage and will update you if there are unusual delays. However, updates will generally be less frequent during this stage. If you have any questions about disclosure during this time, please reach out to the assigned case manager.
Bug Bounty Review: Now that case assessment is complete, the Microsoft Bug Bounty team will review your submission for award eligibility. If your submission qualifies for a bug bounty award, you will receive an email notifying you of the good news! If this is your first award from Microsoft Bounty Programs, you will need to set up an account with one of our payment providers to receive your award. We will send instructions on how to do this in the bounty award email. Please see the Microsoft Bounty Program FAQs for more information.
Pre-Release Process: Cases in the “Release” state are in preparation for release. Sometimes this means they are awaiting official publication as part of our monthly Patch Tuesday release, or other service update. Once your submission has reached this state, a case manager will notify you that a fix has been reported and verify your acknowledgement information.
Complete: Cases in the “Complete” state are closed, which includes issues we determined will not be fixed or cases that have been fixed. If the case was fixed and released to customers, a case manager will notify you again, confirming that the vulnerability is fixed and that the case has been closed. Congratulations! You will now be free to discuss your findings publicly if you wish. We will also give you credit for your work (unless you’ve told us otherwise) on our Researcher Acknowledgements page.
During any of the above stages, we may conclude that your case does not warrant immediate servicing. In such cases, your case manager will contact you to inform you of this decision, and your submission will be taken into consideration during the development of future software releases.
The table below clarifies what each status within the Researcher Portal means for your submission. Throughout the process, we will reach out to you if we have any questions or need additional details. If, at any time, you have a question about your report or have more information to provide, please respond to the latest email message from your case manager. We will strive to get back to you within three U.S. business days.
| Researcher Portal Status | What is happening |
|---|---|
| New | We are triaging your submission. You will receive an email with the triage result when it’s completed, typically within two U.S. business days. If we determine your submission meets our servicing criteria, your submission will be assigned an MSRC case number and a case manager. Your case manager will oversee its assessment and the creation of a plan to address the vulnerability, as well as answer any questions you may have along the way. |
| Review/Repro | We are working on reproducing your case and assessing its severity and security impact. This phase may take up to two weeks, depending on the details shared in your submission and the complexity of the issue. Your case manager may contact you if we need any additional details to understand and successfully reproduce the issue. We ask that you please respond to questions within three U.S. business days, and we will strive to do the same. |
| Review/Repro - Duplicate | We are working on reproducing and assessing your case. Our team has also determined that your case requires the same fix as another case we are working on. You will continue to receive updates as your submission progresses. |
| Develop | We have completed the assessment of your case and have sent it to the engineering team for evaluation and potential fix. |
| Develop - Duplicate | We have completed the assessment of your case and have sent it to the engineering team for evaluation and potential fix. Also, our team has decided your submission requires the same fix as another case we are working on. |
| Pre-Release | The engineering team is finishing the fix for your case and has set a target release date for it. Please notify your case manager if you would like to make any changes to your acknowledgement information associated with the upcoming CVE or Online Services Acknowledgment. |
| Pre-Release - Duplicate | We are finishing working on the fix for your case and have set a targeted release date for the fix for your case. Even though your submission requires the same fix as another case we are working on, you will still receive public thanks and acknowledgment when the issue is fixed. . |
| Complete | Your case has been resolved and you will receive an email from your case manager with the resolution details. |
| Complete - Duplicate | Your case has been resolved and you will receive an email from your case manager with the resolution details. The fix for your case was the same as another case. |
| Complete - NA | This submission does not meet the bar for servicing for MSRC, and we have closed your case. You will receive an email with case details. |
Hopefully, this blog post has helped you understand how to speed up your submission through our process, how to maximize your researcher reputation score and any applicable bounty rewards, given you some insight as to how our process works, and what to expect from us while we triage, reproduce, develop, and release any fix. If you have additional questions, please visit our Frequently Asked Questions (FAQ) page.