Microsoft takes the security of our software products and services seriously, including all source code repositories managed through our GitHub organizations, such as:
If you believe you've found a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it to us as described in the following section.
Please do not report security vulnerabilities through public sites such as GitHub issues.
Rather than reporting in public, please report security vulnerabilities to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report.
If you prefer to submit without signing in, send email to secure@microsoft.com. If possible, encrypt your message with our PGP key. You can download our PGP key from the Microsoft Security Response Center PGP Key page.
You should receive a response within 24 hours. If you don't, please follow up via email to ensure we received your original message. Additional information can be found at microsoft.com/msrc.
Please include as much of the requested information listed below as possible to help us better understand the nature and scope of the issue:
- Type of issue, e.g. buffer overflow, SQL injection, cross-site scripting, etc.
- Full paths of source files related to the manifestation of the issue
- The location of the affected source code such as tag, branch, commit, or direct URL.
- Any special configuration required to reproduce the issue.
- Step-by-step instructions to reproduce the issue.
- Proof-of-concept or exploit code, if possible.
- Impact of the issue, including how an attacker might exploit the issue.
This information helps us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. See our Microsoft Bug Bounty Program page for more details about our active programs.
We prefer all communications to be in English.
Microsoft follows the principle of Coordinated Vulnerability Disclosure.