How MSRC coordinates vulnerability research and disclosure while building community

March 13, 2025 TH Author

In an era where discovering and rapidly mitigating security vulnerabilities is more important than ever before, the Microsoft Security Response Center (MSRC) is at the center of this work. MSRC focuses on investigating vulnerabilities, coordinating their disclosure, and releasing security updates to help protect customers and Microsoft from current and emerging cyberthreats related to security and privacy. MSRC partners with product teams across Microsoft—as well as external security researchers—to investigate reports of security vulnerabilities affecting Microsoft products and services.

MSRC also fosters the development of a stronger and more effective security researcher community through a variety of initiatives, including the Microsoft bug bounty program, the BlueHat security conference, the MSRC blog, and internal security training for engineers.

Microsoft uses a Coordinated Vulnerability Disclosure (CVD) process that recognizes security researchers while disclosing vulnerabilities in a responsible and timely manner.

Collaboration through bug bounty programs and researcher recognition

Security researchers are incentivized to find vulnerabilities and report them through a Coordinated Vulnerability Disclosure (CVD) process. Some reported vulnerabilities are eligible for rewards as part of Microsoft’s bug bounty programs. These programs are an important part of our proactive strategy of incentivizing the external security research community to partner with us and help protect our customers from security threats. Since its inception in 2013, Microsoft’s bug bounty programs have awarded more than $60 million in bounties to security researchers.

In 2024, we announced expansions to several existing bounty programs, and launched a new Defender Bounty Program and AI Bounty Program. We also expanded our bug bounty programs with Microsoft Zero Day Quest, which adds $4 million in potential bug bounty rewards for research into high-impact areas, specifically cloud and AI. Security researchers who report a vulnerability that isn’t eligible for a bug bounty can still take part in the Microsoft Researcher Recognition Program and be recognized for their work on the Researcher Leaderboard.

Coordinated Vulnerability Disclosure (CVD)

Microsoft follows the CVD principle when partnering with external security researchers to respond and mitigate vulnerabilities in our products and services. This approach gives researchers recognition for their work—and provides Microsoft an opportunity to address newly reported vulnerabilities before bad actors can exploit them.

To better protect our products and services, MSRC partners with Microsoft engineering teams to build proactive mitigations using the information provided by both internal and external security researchers. This can significantly reduce or eliminate classes of vulnerabilities.

Many of the cloud service vulnerabilities are fixed by Microsoft on our servers and don’t require customers to take action to stay secure, but for purposes of transparency we now disclose all critical cloud common vulnerabilities and exposures (CVEs). In cases where Microsoft customers need to act, Microsoft provides customers with clear and timely security guidance.

To help customers accelerate their security response and remediation, Microsoft recently expanded our CVD strategy to include machine-readable Common Security Advisory Framework (CSAF) files that complement our existing CVD data sharing channels. With CSAF files, Microsoft customers now have machine-readable information on known vulnerabilities. This capability is part of our comprehensive strategy for vulnerability disclosure, which includes our Security Updates API and the human-readable vulnerability disclosures provided in the MSRC Security Update Guide.

Microsoft Active Protections Program (MAPP)

The Microsoft Active Protections Program (MAPP) gives security technology providers early access to vulnerability information so that they can more rapidly provide updated protections to their customers. More than 100 MAPP partners receive security vulnerability information from the MSRC in advance of Microsoft’s monthly security update release. Partners use this information to provide protections through their security software or devices, such as antivirus software, network-based intrusion detection systems, or host-based intrusion prevention systems.

To learn about the MAPP program, including which types of organizations are eligible to join MAPP, what is required of member organizations, and MAPP program tiers, read the MAPP Frequently Asked Questions.

Release of security updates

Microsoft-managed backend services require no additional customer action to stay secure. In cases where customers must take action to stay secure, we release security updates.

After a vulnerability that requires customers to take action has been fixed in our products, MSRC provides updates. MSRC releases security updates for most Microsoft products on the second Tuesday of each month at 10:00 AM PT and recommends that IT administrators and other customers plan their deployment schedules accordingly.

Cybersecurity education through content and conferences

A key component of MSRC’s work is to provide educational content for the security community. MSRC shares important public updates on vulnerabilities and more on the MSRC blog (you can also subscribe through the MSRC RSS feed). The latest information about security-related deployments, known vulnerabilities, and advisories can be found on the Security Update Guide.

MSRC also works to build a stronger security researcher community by hosting the BlueHat security conference. BlueHat brings together leading researchers and security practitioners, providing a platform to share knowledge and best practices around security. If you missed the latest conference, you can view on-demand presentations from past conferences or listen to the BlueHat Podcast (subscribe here).

Learn more about the Microsoft Security Response Center

To learn more about MSRC, visit us at msrc.microsoft.com. There, you can find detailed information on our programs and access educational resources. You can also learn more about MSRC and Microsoft’s related security initiatives through the following resources:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.