Microsoft Security Reporting

Microsoft takes the security of our software products and services seriously. This commitment extends to all source code repositories managed through our GitHub organizations, including:

• Microsoft
• Azure
• DotNet
• AspNet
• Xamarin
• Other Microsoft GitHub organizations

If you believe you have discovered a security vulnerability in any Microsoft-owned repository that meets Microsoft's definition of a security vulnerability, please report it to us following the guidelines below.

Important: Please do not report security vulnerabilities through public GitHub issues.

1. Submit your report to the Microsoft Security Response Center (MSRC):

   • Preferred method: https://msrc.microsoft.com/create-report
   • Alternative method (if you prefer not to log in): Send email to secure@microsoft.com

2. For encrypted communication: Consider encrypting your message with our PGP key, available from the Microsoft Security Response Center PGP Key page.

3. Response timeline: You should receive a response within 24 hours. If you don't, please send a follow-up email to ensure we received your original message.

4. Additional information: For more details on the reporting process, visit microsoft.com/msrc.

To help us quickly assess the issue, please include as much of the following information as possible:

Providing thorough information helps us evaluate your report more efficiently.

Bug Bounty Programs: If you're reporting for a bug bounty, more complete reports can contribute to a higher bounty award. For details about our active programs, visit the Microsoft Bug Bounty Program page.

We prefer all communications to be in English.

Microsoft follows the principle of Coordinated Vulnerability Disclosure.