Microsoft Explains How It Processes Vulnerability Reports
Microsoft has detailed the steps involved in the processing of vulnerability reports, so that reporting researchers know what to expect when submitting information on a bug.
The first thing researches need to do, the company says, is to ensure that the issue they have identified indeed qualifies as a security vulnerability, and only then to head over to Microsoft’s Researcher Portal to submit a report.
The portal, the tech company notes, delivers a secure and guided way for security researchers to share all of the necessary details required to reproduce a reported vulnerability and identify a fix for it. Each vulnerability should have its own report.
“The portal will also guide you in working out what additional information you will need to write a high-quality report. High-quality reports will help your researcher reputation score, and if your report qualifies for one of our bounty program rewards, you also may receive a higher reward amount too,” Microsoft notes.
Once a report has been submitted, Microsoft’s employees will triage it, assessing whether it indeed details a security flaw and assigning it to the relevant product engineering team. Only security vulnerabilities that meet Microsoft’s servicing criteria will be provided a case number.
The company next evaluates the severity and impact of vulnerabilities that can be reproduced, and then the information is sent to product engineers for further action. While a report is marked as ‘New’ in the Researcher Portal during triage and case assignment, its state is changed to ‘Review/Repro’ at the next step, and the reporter is informed via email, Microsoft notes.
“This process can take some time, depending on the complexity of the issue and the completeness of your submission. You will receive an email when your case moves to the development stage, and this can take up to one or two weeks, sometimes less and occasionally more. If you do not hear back from us within two weeks, please check your junk folder before reaching out to us,” the tech company says.
Microsoft also explains that, for vulnerabilities that its employees determine should be addressed through immediate servicing, a fix will be developed and made available in coordination with the release teams. The report’s status in the Researcher Portal in this case is changed to ‘Develop’.
At this stage, the bounty team reviews the submission to determine if it is eligible for an award. The reporter is informed via email if the report qualifies for a bug bounty payout. Researchers are required to have an account with one of the payment providers for the Microsoft Bounty Programs, to receive their reward.
If a fix is being prepared for release, the report’s status changes to ‘Release’. The patch is usually included in the Update Tuesday release, or other service updates. After a fix has been rolled out, the report’s status changes to ‘Complete’, Microsoft says.