Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include Microsoft.

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it as described below.

Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include Microsoft, Azure, DotNet, AspNet, Xamarin, and our GitHub organizations.

If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report.

If you prefer to submit without logging in, send an email to secure@microsoft.com. If possible, encrypt your message with our PGP key; please download it from the Microsoft Security Response Center (MSRC).

You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at Microsoft Security Response Center.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty Program page for more details. If you prefer to submit without logging in, send email to secure@microsoft.com. If possible, encrypt your message with our PGP key; please download it from the Microsoft Security Response Center PGP Key page.

You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at microsoft.com/msrc.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:

• Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

This information will help us triage your report more quickly.

If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our Microsoft Bug Bounty Program page for more details about our active programs.

We prefer all communications to be in English.

Microsoft follows the principle of Coordinated Vulnerability Disclosure.

• Follow secure coding practices to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and buffer overflows.
• Validate and sanitize all user inputs to prevent injection attacks.
• Use parameterized queries or prepared statements for database interactions.
• Avoid using hard-coded credentials or sensitive information in the codebase.
• Implement proper error handling and logging to avoid exposing sensitive information.

• Conduct regular security reviews of the codebase to identify and address potential vulnerabilities.
• Perform code reviews to ensure adherence to secure coding practices.
• Use automated security scanning tools to detect vulnerabilities in the code and dependencies.
• Stay updated with the latest security patches and updates for all dependencies and libraries used in the project.

• Ensure that all developers and contributors undergo mandatory security training.
• Provide training on secure coding practices, common vulnerabilities, and how to mitigate them.
• Encourage developers to stay informed about the latest security trends and best practices.

We have established a process for monitoring and responding to security alerts generated by our automated security tools. This process includes:

• Regularly monitoring security alerts from tools such as CodeQL, Dependabot, and Frogbot.
• Triaging and prioritizing security alerts based on their severity and potential impact.
• Assigning responsible team members to investigate and address security alerts promptly.
• Implementing fixes for identified vulnerabilities and ensuring they are thoroughly tested before deployment.
• Communicating with the community and stakeholders about any security incidents and the steps taken to address them. Microsoft follows the principle of Coordinated Vulnerability Disclosure.