Microsoft has detailed the steps involved in the processing of vulnerability reports, so that reporting researchers know what to expect when submitting information on a bug.
The first thing researches need to do, the company says, is to ensure that the issue they have identified indeed qualifies as a security vulnerability, and only then to head over to Microsoft’s Researcher Portal to submit a report.
The portal, the tech company notes, delivers a secure and guided way for security researchers to share all of the necessary details required to reproduce a reported vulnerability and identify a fix for it. Each vulnerability should have its own report.
“The portal will also guide you in working out what additional information you will need to write a high-quality report. High-quality reports will help your researcher reputation score, and if your report qualifies for one of our bounty program rewards, you also may receive a higher reward amount too,” Microsoft notes.
Once a report has been submitted, Microsoft’s employees will triage it, assessing whether it indeed details a security flaw and assigning it to the relevant product engineering team. Only security vulnerabilities that meet Microsoft’s servicing criteria will be provided a case number.
The company next evaluates the severity and impact of vulnerabilities that can be reproduced, and then the information is sent to product engineers for further action. While a report is marked as ‘New’ in the Researcher Portal during triage and case assignment, its state is changed to ‘Review/Repro’ at the next step, and the reporter is informed via email, Microsoft notes.
“This process can take some time, depending on the complexity of the issue and the completeness ..
Support the originator by clicking the read the rest link below.
