Microsoft has detailed the steps concerned within the processing of vulnerability experiences, in order that reporting researchers know what to anticipate when submitting data on a bug.
The very first thing researches must do, the corporate says, is to make sure that the difficulty they’ve recognized certainly qualifies as a safety vulnerability, and solely then to move over to Microsoft’s Researcher Portal to submit a report.
The portal, the tech firm notes, delivers a safe and guided method for safety researchers to share the entire essential particulars required to breed a reported vulnerability and determine a repair for it. Every vulnerability ought to have its personal report.
“The portal will even information you in figuring out what further data you will want to write down a high-quality report. Excessive-quality experiences will assist your researcher repute rating, and in case your report qualifies for considered one of our bounty program rewards, you additionally might obtain a better reward quantity too,” Microsoft notes.
As soon as a report has been submitted, Microsoft’s staff will triage it, assessing whether or not it certainly particulars a safety flaw and assigning it to the related product engineering crew. Solely safety vulnerabilities that meet Microsoft’s servicing standards might be offered a case quantity.
The corporate subsequent evaluates the severity and influence of vulnerabilities that may be reproduced, after which the data is shipped to product engineers for additional motion. Whereas a report is marked as ‘New’ within the Researcher Portal throughout triage and case task, its state is modified to ‘Evaluate/Repro’ on the subsequent step, and the reporter is knowledgeable by way of e-mail, Microsoft notes.
“This course of can take a while, relying on the complexity of the difficulty and the completeness of your submission. You’ll obtain an e-mail when your case strikes to the event stage, and this could take as much as one or two weeks, generally much less and sometimes extra. If you don’t hear again from us inside two weeks, please test your junk folder earlier than reaching out to us,” the tech firm says.
Microsoft additionally explains that, for vulnerabilities that its staff decide needs to be addressed by speedy servicing, a repair might be developed and made accessible in coordination with the discharge groups. The report’s standing within the Researcher Portal on this case is modified to ‘Develop’.
At this stage, the bounty crew opinions the submission to find out whether it is eligible for an award. The reporter is knowledgeable by way of e-mail if the report qualifies for a bug bounty payout. Researchers are required to have an account with one of many fee suppliers for the Microsoft Bounty Applications, to obtain their reward.
If a repair is being ready for launch, the report’s standing adjustments to ‘Launch’. The patch is often included within the Replace Tuesday launch, or different service updates. After a repair has been rolled out, the report’s standing adjustments to ‘Full’, Microsoft says.
Associated: Microsoft Patches 129 Vulnerabilities With September 2020 Safety Updates
Associated: Microsoft Provides State of affairs-Primarily based Rewards to Home windows Insider Preview Bounty Program
Associated: Microsoft Paid Out Practically $14 Million by way of Bug Bounty Applications in Previous Yr
Ionut Arghire is a world correspondent for SecurityWeek.
Tags: xbox live bug report,are bug bounties taxed,excel bug bounty,o365 bounty program,windows mitigation bounty award,microsoft bug bounty terms and conditions,microsoft bug bounty winners,mozilla bounty program,windows privilege escalation bounty,vulnerability disclosure report template,national cyber attack trends report,microsoft security intelligence updates,report ransomware to microsoft,microsoft vulnerability report 2020,ddos attack microsoft,how to report a ddos attack,azure devops bug bounty,microsoft dynamics bug bounty,yammer bug bounty,azure vulnerability report,microsoft vulnerability,windows 10 january 2020 security update,microsoft windows security update for january 2020,microsoft recommend updating windows 10,microsoft patch tuesday,microsoft free software patch,windows 10 critical update,latest microsoft security update
