Announcing the BlueHat 2024 Sessions

34 sessions from 54 presenters representing 20 organizations! We are thrilled to reveal the lineup of speakers and presentations for the 23rd BlueHat Security Conference, in Redmond WA from Oct 29-30. This year's conference continues the BlueHat ethos and Secure Future Initiative mission of...

Announcing BlueHat 2024: Call for Papers now open

The 23rd edition of Microsoft’s BlueHat security conference will be hosted by the Microsoft Security Response Center MSRC at the Redmond, WA corporate campus, October 29 and 30, 2024. BlueHat brings together security researchers and responders from both inside and outside of Microsoft, who come...

Congratulations to the MSRC 2024 Most Valuable Security Researchers!

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s 100 Most...

Microsoft Bounty Program Year in Review: $16.6M in Rewards

We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center MSRC. Each year we identify over a thousand potential...

Microsoft Bounty Program Year in Review: $16.6M in Rewards

We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center MSRC. Each year we identify over a thousand potential...

Introducing the MSRC Researcher Resource Center

Microsoft partners with the global security researcher community to surface and report security vulnerabilities to protect all users of Microsoft products and services. Researcher submissions help us address immediate threats while also identifying trends and insights to holistically improve the...

Congratulations to the Top MSRC 2024 Q2 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2024 Q2 Security Researcher Leaderboard are Yuki Chen,...

Announcing the CVRF API 3.0 upgrade

At the Microsoft Security Response Center, we are committed to continuously improving the security and performance of our services to meet the evolving needs of our customers. We are excited to announce the rollout of the latest version of our Common Vulnerability Reporting CVRF API. This update...

Announcing the CVRF API 3.0 upgrade

At the Microsoft Security Response Center, we are committed to continuously improving the security and performance of our services to meet the evolving needs of our customers. We are excited to announce the rollout of the latest version of our Common Vulnerability Reporting CVRF API. This update...

What’s new in the MSRC Report Abuse Portal and API

The Microsoft Security Response Center MSRC has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several updates to the Report Abuse Portal and API, which will significantly...

Toward greater transparency: Unveiling Cloud Service CVEs

Welcome to the second installment in our series on transparency at the Microsoft Security Response Center MSRC. In this ongoing discussion, we discuss our commitment to provide comprehensive vulnerability information to our customers. At MSRC, our mission is to protect our customers, communities,...

Mitigating SSRF Vulnerabilities Impacting Azure Machine Learning

Summary On May 9, 2024, Microsoft successfully addressed multiple vulnerabilities within the Azure Machine Learning AML service, which were initially discovered by security research firms Wiz and Tenable. These vulnerabilities, which included Server-Side Request Forgeries SSRF and a path traversa...

Improved Guidance for Azure Network Service Tags

Summary Microsoft Security Response Center MSRC was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure...

Congratulations to the Top MSRC 2024 Q1 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2024 Q1 Security Researcher Leaderboard are Yuki Chen,...

Toward greater transparency: Adopting the CWE standard for Microsoft CVEs

At the Microsoft Security Response Center MSRC, our mission is to protect our customers, communities, and Microsoft from current and emerging threats to security and privacy. One way we achieve this is by determining the root cause of security vulnerabilities in Microsoft products and services. W...

Embracing innovation: Derrick’s transition from banking to Microsoft’s Threat Intelligence team

Meet Derrick, a Senior Program Manager on the Operational Threat Intelligence team at Microsoft. Derrick’s role involves understanding and roadmapping the complete set of tools that Threat Intel analysts use to collect, analyze, process, and disseminate threat intelligence across Microsoft...

Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. The Microsoft Threat...

Faye’s Journey: From Security PM to Diversity Advocate at Microsoft

Faye, a veteran at Microsoft for 22 years, has had a career as varied as it is long. Her journey began in 2002 as the first desktop security Project Manager PM in Microsoft IT. From there, she transitioned into owning a deployment team that deployed to desktops and handled operations for Office’s...

Microsoft boosts its Microsoft 365 Insider Builds on Windows Bounty Program with higher awards and an expanded scope

Starting today, we are doubling the maximum bounty award for the Microsoft 365 Insider Bug Bounty Program to $30,000 USD for high impact scenarios, such as unauthenticated non-sandboxed code execution with no user interaction. We are also expanding the scope of our bounty program to include more...

From Indiana Jones to Cybersecurity: The Inspiring Journey of Devin

As a young boy, Devin found himself captivated by the adventures of Indiana Jones, the whip-wielding archaeologist from the VHS movies his grandfather showed him. The thrill of unearthing history and the allure of the unknown ignited a spark in Devin, leading him to dream of becoming an...

An Obsession With Impact: The Inspiring Journey of a Dreamer That Led to a Career at Microsoft

Bruce’s story unfolds in Cincinnati, Ohio. As a young boy, he had an ambitious dream of one day becoming the President of the United States. This aspiration remained his guiding star until he began his professional career after college. His mother, amused by his...

New Security Advisory Tab Added to the Microsoft Security Update Guide

Today, we are adding a new Security Advisory tab to the Security Update Guide to meet our customers’ needs for a unified and authoritative source for the latest public information about Microsoft security updates and issues. We are continuously listening to feedback from users of the Security...

Congratulations to the Top MSRC 2023 Q4 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2023 Q4 Security Researcher Leaderboard are Yuki Chen,...

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat...

BlueHat India Call for Papers is Now Open!

You asked for it and it’s finally here! The inaugural BlueHat India conference will be held May 16-17th, 2024, in Hyderabad, India! This intimate conference will bring together a unique blend of security researchers and responders, who come together as peers to exchange ideas, experiences, and...

Microsoft addresses App Installer abuse

28 October 2024 Update Microsoft disabled the ms-appinstaller URI scheme handler by default in App Installer on 28 December 2023 as a security response to protect customers from attackers’ evolving techniques against previous safeguards for CVE-2021-43890. Microsoft is pleased to announce that we...

Azure Serial Console Attack and Defense - Part 2

This is the second installment of the Azure Serial Console blog, which provides insights to improve defenders’ preparedness when investigating Azure Serial Console activity on Azure Linux virtual machines. While the first blog post discussed various tracing activities, such as using Azure activit...

Microsoft Mitigates Three Vulnerabilities in Azure HDInsight

Summary Summary Microsoft recently remediated one Denial of Service and two Escalation of Privilege vulnerabilities affecting third party components of Azure HDInsight. Access to the target cluster as an authenticated user was a prerequisite for exploitation in all three cases. A successful...

Introducing the Microsoft Defender Bounty Program

We are excited to announce the new Microsoft Defender Bounty Program with awards of up to $20,000 USD. The Microsoft Defender brand encompasses a variety of products and services designed to enhance the security of the Microsoft customer experience. The Microsoft Defender Bounty Program invites...

Celebrating ten years of the Microsoft Bug Bounty program and more than $60M awarded

This year marks the tenth anniversary of the Microsoft Bug Bounty Program, an essential part of our proactive strategy to protect customers from security threats. Since its inception in 2013, Microsoft has awarded more than $60 million to thousands of security researchers from 70 countries. These...

Reflecting on 20 years of Patch Tuesday

This year is a landmark moment for Microsoft as we observe the 20th anniversary of Patch Tuesday updates, an initiative that has become a cornerstone of the IT world’s approach to cybersecurity. Originating from the Trustworthy Computing memo by Bill Gates in 2002, our unwavering commitment to...

Microsoft guidance regarding credentials leaked to GitHub Actions Logs through Azure CLI

Summary The Microsoft Security Response Center MSRC was made aware of a vulnerability where Azure Command-Line Interface CLI could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands...

Congratulations to the Top MSRC 2023 Q3 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2023 Q3 Security Researcher Leaderboard are Wei,...

Introducing the Microsoft AI Bug Bounty Program featuring the AI-powered Bing experience

Today at BlueHat we announced the new Microsoft AI bug bounty program with awards up to $15,000. This new bounty program features the AI-powered Bing experience as the first in scope product. The following products and integrations are eligible for bounty awards: AI-powered Bing experiences on...

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service DDoS attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability CVE-2023-44487 impacts any internet exposed HTTP/2 endpoints. As an...

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service DDoS attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability CVE-2023-44487 impacts any internet exposed HTTP/2 endpoints. As an...

Cybersecurity Awareness Month 2023: Elevating Security Together

As the 20th anniversary of Cybersecurity Awareness Month begins, I find myself reflecting on the strides made since its inception. The journey to enhance and improve cybersecurity is ongoing and extends beyond October. It’s not merely a technological challenge; it is fundamentally about people...

Microsoft’s Response to Open-Source Vulnerabilities - CVE-2023-4863 and CVE-2023-5217

Microsoft is aware and has released patches associated with the two Open-Source Software security vulnerabilities, CVE-2023-4863 and CVE-2023-5217. Through our investigation, we found that these affect a subset of our products and as of today, we have addressed them in our products as outlined...

Journey Down Under: How Rocco Became Australia’s Premier Hacker

Fun facts about Rocco Calvi @TecR0c: Microsoft MVR: Rocco is a 2023 Microsoft Most Valuable Researcher. Fitness fanatic: Inspired by old-school body building and countless hours of chopping and carrying wood in the mountains during his youth, Rocco remains a fitness enthusiast, setting himself...

Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token

Summary As part of a recent Coordinated Vulnerability Disclosure CVD report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL...

Results of Major Technical Investigations for Storm-0558 Key Acquisition

March 12, 2024 update As part of our continued commitment to transparency and trust outlined in Microsoft’s Secure Future Initiative, we are providing further information as it relates to our ongoing investigation. This new information does not change the customer guidance we previously shared, n...

Azure Serial Console Attack and Defense - Part 1

Ever had a virtual machine crash? Azure Serial console is a great way to directly connect to your Virtual machine and debug what went wrong. Azure Serial Console is a feature that's available for free for everyone. While the primary intent of this feature is to assist users debug their machine,...

Congratulations to the MSRC 2023 Most Valuable Security Researchers!

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s top 100 Most...

Updating our Vulnerability Severity Classification for AI Systems

The Microsoft Security Response Center MSRC is always looking for ways to provide clarity and transparency around how we assess the impact of vulnerabilities reported in our products and services. To this end, we are announcing the Microsoft Vulnerability Severity Classification for AI Systems, a...

Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards

We are thrilled to share the results of our collaboration with over 345 security researchers from +45 countries around the world in the past 12 months. Together, we have discovered and fixed more than a thousand potential security issues before they impacted our customers. In recognition of this...

Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards

We are thrilled to share the results of our collaboration with over 345 security researchers from +45 countries around the world in the past 12 months. Together, we have discovered and fixed more than a thousand potential security issues before they impacted our customers. In recognition of this...

Microsoft mitigates Power Platform Custom Code information disclosure vulnerability

Summary On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure CVD of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all...

BlueHat October 2023 Call for Papers is Now Open!

As you may have seen on social media, the next BlueHat conference will be October 11 – 12, 2023, on Microsoft’s Redmond campus in Washington state, USA. The Call for Papers CFP is now open through August 18, 2023. The BlueHat community is a unique blend of security researchers and responders from...

Updated Researcher Portal Submission Form: Discover the New Fields in the Submission Form

Summary: We are excited to announce the release of the updated Researcher Portal submission form. These new fields allow Security Researchers to provide additional context for the reported security issue, providing product teams with more data for analysis, gain insights and identify trends acros...

From Bounty Leaderboards to Microsoft Security Researcher, Meet Cameron Vincent!

Fun Facts: Game you binged: Guitar Hero and Rock Band fanatic. Go to snack: Nutri-Grain Bars. Favorite Drink: Soda – Coca Cola specifically. Favorite Place: Singapore – stayed an extra week after a hacking collaboration and truly fell in love and hopes to get back as soon as possible. Favorite...