Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Microsoft Explains How It Processes Vulnerability Reports

Microsoft has detailed the steps involved in the processing of vulnerability reports, so that reporting researchers know what to expect when submitting information on a bug.

Microsoft has detailed the steps involved in the processing of vulnerability reports, so that reporting researchers know what to expect when submitting information on a bug.

The first thing researches need to do, the company says, is to ensure that the issue they have identified indeed qualifies as a security vulnerability, and only then to head over to Microsoft’s Researcher Portal to submit a report.

The portal, the tech company notes, delivers a secure and guided way for security researchers to share all of the necessary details required to reproduce a reported vulnerability and identify a fix for it. Each vulnerability should have its own report.

“The portal will also guide you in working out what additional information you will need to write a high-quality report. High-quality reports will help your researcher reputation score, and if your report qualifies for one of our bounty program rewards, you also may receive a higher reward amount too,” Microsoft notes.

Once a report has been submitted, Microsoft’s employees will triage it, assessing whether it indeed details a security flaw and assigning it to the relevant product engineering team. Only security vulnerabilities that meet Microsoft’s servicing criteria will be provided a case number.

The company next evaluates the severity and impact of vulnerabilities that can be reproduced, and then the information is sent to product engineers for further action. While a report is marked as ‘New’ in the Researcher Portal during triage and case assignment, its state is changed to ‘Review/Repro’ at the next step, and the reporter is informed via email, Microsoft notes.

“This process can take some time, depending on the complexity of the issue and the completeness of your submission. You will receive an email when your case moves to the development stage, and this can take up to one or two weeks, sometimes less and occasionally more. If you do not hear back from us within two weeks, please check your junk folder before reaching out to us,” the tech company says.

Microsoft also explains that, for vulnerabilities that its employees determine should be addressed through immediate servicing, a fix will be developed and made available in coordination with the release teams. The report’s status in the Researcher Portal in this case is changed to ‘Develop’.

At this stage, the bounty team reviews the submission to determine if it is eligible for an award. The reporter is informed via email if the report qualifies for a bug bounty payout. Researchers are required to have an account with one of the payment providers for the Microsoft Bounty Programs, to receive their reward.

If a fix is being prepared for release, the report’s status changes to ‘Release’. The patch is usually included in the Update Tuesday release, or other service updates. After a fix has been rolled out, the report’s status changes to ‘Complete’, Microsoft says.

Related: Microsoft Patches 129 Vulnerabilities With September 2020 Security Updates

Related: Microsoft Adds Scenario-Based Rewards to Windows Insider Preview Bounty Program

Related: Microsoft Paid Out Nearly $14 Million via Bug Bounty Programs in Past Year

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.