マイクロソフトのオンラインサービスにおける、脆弱性の深刻度分類の公開
Tuesday, April 18, 2023
本ブログは、Microsoft Vulnerability Severity Classification for Online Services Publication の抄訳版です。最新の情報は原文を参照してください。 マイク
Security Research
Announcing the Microsoft Machine Learning Membership Inference Competition (MICO)
Wednesday, November 16, 2022
We’re excited to announce the launch of a new competition focusing on the security and privacy of machine learning (ML) systems. Machine learning has already become a key enabler in many products and services, and this trend is likely to continue. It is therefore critical to understand the security and privacy guarantees provided by state-of-the-art ML algorithms – indeed this is one of Microsoft’s Responsible AI Principles.
New Research Paper: Pre-hijacking Attacks on Web User Accounts
Monday, May 23, 2022
In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of attacks affecting websites and other online services.
Expanding High Impact Scenario Awards for Microsoft Bug Bounty Programs
Thursday, April 14, 2022
We are excited to announce the addition of scenario-based bounty awards to the Dynamics 365 and Power Platform Bounty Program and M365 Bounty Program. Through these new scenario-based bounty awards, we encourage researchers to focus their research on vulnerabilities that have the highest potential impact on customer privacy and security. Awards increase by up to 30% ($26,000 USD total) for eligible scenario submissions.
On-Premises Servers Products are Here! Introducing the Applications and On-Premises Servers Bug Bounty Program
Tuesday, April 05, 2022
Microsoft is excited to announce the addition of Exchange on-premises, SharePoint on-premises, and Skype for Business on-premises to the Applications and On-Premises Servers Bounty Program. Through this expanded program, we encourage researchers to discover and report high-impact security vulnerabilities to help protect customers. We offer awards up to $26,000 USD for eligible submissions.
Exploring a New Class of Kernel Exploit Primitive
Tuesday, March 22, 2022
The security landscape is dynamic, changing often and as a result, attack surfaces evolve. MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. These often happen when kernel mode code does not validate that pointers read from attacker-controlled input actually point to the user-mode portion of the Virtual Address Space (VAS).
New High Impact Scenarios and Awards for the Azure Bounty Program
Monday, October 18, 2021
Microsoft is excited to announce new Azure Bounty Program awards up to $60,000 to encourage and reward vulnerability research focused on the highest potential impact to customer security. These increased awards are a part of our ongoing investment in partnership with the security research community, and an important part of Microsoft’s holistic approach to defending against security threats.
Power Platform is Here! Introducing the Dynamics 365 and Power Platform Bug Bounty Program
Wednesday, October 13, 2021
Microsoft is excited to announce the addition of Power Platform to the newly rebranded Dynamics 365 and Power Platform Bounty Program. Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope to help protect customers. We offer awards up to $20,000 USD for eligible submissions.
Announcing the Launch of the Azure SSRF Security Research Challenge
Thursday, August 19, 2021
Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional awards for identifying innovative or novel attack patterns.
Introducing Bounty Awards for Teams Mobile Applications Security Research
Monday, July 19, 2021
We are pleased to announce the addition of Microsoft Teams mobile applications to the Microsoft Applications Bounty Program. Through the expanded program we welcome researchers from across the globe to seek out and disclose any high impact security vulnerabilities they may find in Teams mobile applications to help secure customers. Rewards up to $30,000 USD are available for eligible submissions.