What to Expect When Reporting Vulnerabilities to Microsoft

At the Microsoft Security Response Center (MSRC), our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One of the ways we do this is by working with security researchers to discover security vulnerabilities in our services and products, and then making sure those that pose a threat to customers get fixed. Many researchers report these types of issues to many different companies, and how these companies manage their process for receiving, assessing, and fixing these issues can vary considerably. We want to share how our process works, what you can do to help us speed up your submission through our process when reporting security vulnerabilities to Microsoft, and what to expect afterwards.

Before you submit a report, please check whether the issue you’re reporting meets the definition of a security vulnerability. Once you are confident that your submission meets Microsoft’s security service definition, go to our Researcher Portal and log in to report it. If you do not yet have an account, you will have the option of creating one at that time.

Using our portal provides the best experience and usually results in faster and easier collaboration between researchers and the MSRC. The portal provides a secure and guided way to provide the necessary information for us to quickly reproduce the issue and respond to your report, and ultimately fix the vulnerabilities that may cause a threat. The portal will also guide you in working out what additional information you will need to write a high-quality report. High-quality reports will help us provide you with the fastest response and may help you qualify for higher bug bounty rewards.

If you have found multiple security vulnerabilities, please create a separate submission for each issue. This will help us provide you a faster response and resolution for each report.

Here’s what you can expect to happen after you submit a vulnerability:

Triage: Our team will check that your report is a security vulnerability and will then assign it to the relevant product engineering team. This typically takes two business days. If you opted-in for automatic communications, you will receive a message from our triage team when the case is either closed as non-serviceable or will need further evaluation. During this process, your submission will be labeled as “New” in the portal.

Case Assignment: If the security vulnerability you reported meets our servicing criteria it will be assigned a case number and a case manager. Your case manager will oversee the case assessment, the creation of a plan to address the vulnerability, and answer any questions you may have along the way

Review/Reproduce: Our team will attempt to reproduce the reported issue and evaluate the severity and security impact. During this process, your submission will be labeled as “Review/Repro” in the portal. This work can take up to one or two weeks, sometimes less and occasionally more. If you do not hear back from us within two weeks, please reach out. If you haven’t received any messages since submitting your report, please also check your junk folder to ensure you are receiving communications from MSRC.

If your case is assessed as important or critical severity, we will send it to the appropriate product engineering team to fix. If it is assessed as low or moderate severity, by design, or an issue we have determined we will not fix, your case will not move forward to the development stage. Instead, your case manager will reach out to you to inform you of this decision and your case will be closed. After your case has been closed in this stage, its state will show as “Complete” in the portal. A status of “Complete” for this scenario does NOT mean that the reported vulnerability has been fixed.

Developing a fix: This stage typically takes the longest of any while we prepare a fix and coordinate with our release teams. Reports in this state have the “Develop” state in the Researcher Portal. Our case managers are in regular contact with the product engineering team during this stage and will update you if there are unusual delays. However, updates will generally be less frequent during this stage. If you have a question about disclosure during this time, please reach out to the assigned case manager.

Also, now that case assessment is complete the Microsoft Bug Bounty team will review your submission for award eligibility. If your submission qualifies for a bug bounty award, you will receive an email notifying you of the good news! If this is your first award from Microsoft Bounty Programs, you will need to set up an account with one of our payment providers to receive your award. We will send instructions on how to do this in the bounty award email. Please see the Microsoft Bounty Program FAQs for more information.

Release Process: Cases in the “Release” state are in preparation for release. Sometimes this means they are awaiting official publication as part of our monthly Patch Tuesday release, or other service update. Once your submission has reached this state, a case manager will notify you that a fix has been reported and verify your acknowledgement information.

Complete: After the case has been fixed and released to customers, its state will show as “Complete” in the portal. Congratulations! A case manager will again notify you that the vulnerability is fixed and that the case has been closed. You will now be free to discuss your findings publicly if you would like. We will also give you credit for your work (unless you’ve told us otherwise) on our Researcher Acknowledgements page.

During any of the above stages we may conclude that your case does not warrant immediate servicing. Your case manager will reach out to you to inform you of this decision and your submission will be considered when the engineering team is developing the next or other future releases of the software.

The table below should clarify what each status within the Researcher Portal means for your submission. Throughout the process we will reach out to you if we have any questions or need any further details. If at any time you have a question about your report or more information to provide, please respond to the latest email message from your case manager.

Researcher Portal Status

What is happening

New

We are triaging your submission. You will receive an email with the triage result when it’s completed, typically within two US business days. If we determine your submission meets our servicing criteria, your submission will be assigned an MSRC case number and a case manager. Your case manager will oversee its assessment and the creation of a plan to address the vulnerability and answer any questions you may have along the way

Review/Repro

We are working on reproducing and assessing the severity and security impact your case. This phase may take up to two weeks, depending on the details shared in your submission and the complexity of the issue.

Review/Repro - Duplicate

We are working on reproducing and assessing your case. Our team has also determined that your case requires the same fix as another case we are working on. You will continue to receive updates as your submission progresses.

Develop

We have completed the assessment of your case and have sent it to the engineering team for evaluation and potential fix.

Develop - Duplicate

We have completed the assessment of your case and have sent it to the engineering team for evaluation and potential fix. Also, our team has decided your submission requires the same fix as another case we are working on.

Pre-Release

The engineering team is finishing the fix for your case and has set a target release date for it. Please notify your case manager if you would like to make any change to your acknowledgement information associated with the upcoming CVE or Online Services Acknowledgment.

Pre-Release - Duplicate

We are finishing working on the fix for your case and have set a targeted release date for the fix for your case. Even though your submission requires the same fix as another case we are working on, you will still receive public thanks and acknowledgment when the issue is fixed. .

Complete

Your case has been resolved and you will receive an email from your case manager with the resolution details.

Complete - Duplicate

Your case has been resolved and you will receive an email from your case manager with the resolution information. The fix for your case was the same as another case.

Complete - NA

This submission does not meet the bar for servicing for MSRC, and we have closed your case. You will receive an email with case details.

Hopefully, this blog post has helped you understand how to speed up your submission through our process, how to maximize your researcher reputation score and any applicable bounty rewards, given you some insight as to how our process works, and what to expect from us while we triage, reproduce, develop, and release any fix. If you have additional questions, please visit our Frequently Asked Questions (FAQ) page.