Normal view

There are new articles available, click to refresh the page.
Before yesterdayMicrosoft Security Response Center

Why XSS still matters: MSRC’s perspective on a 25-year-old threat 

4 September 2025 at 03:00
Cross-Site Scripting (XSS) has been a known vulnerability class for two decades, yet it continues to surface in modern applications, including those built with the latest frameworks and cloud-native architectures. At Microsoft, we still receive a steady stream of XSS reports across our services, from legacy portals to newly deployed single-page apps.

BlueHat Asia 2025: Closing soon: Submit your papers by September 14, 2025

27 August 2025 at 03:00
The next chapter of the Microsoft Security Response Center’s (MSRC) BlueHat security conference is fast approaching. BlueHat Asia 2025 will take place in Bengaluru, India, on November 5 – 6, 2025 and the Call for Papers is now open. Submissions will be accepted through September 14, 2025. Now in its third decade, BlueHat is more than a conference, it’s a community.

.NET Bounty Program now offers up to $40,000 in awards 

We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers. The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).

Zero Day Quest 2025: $1.6 million awarded for vulnerability research

21 April 2025 at 03:00
This month, the Microsoft Security Response Center recently welcomed some of the world’s most talented security researchers at Microsoft’s Zero Day Quest, the largest live hacking competition of its kind. The inaugural event challenged the security community to focus on the highest-impact security scenarios for Copilot and Cloud with up to $4 million in potential awards.

Microsoft Bounty Program Year in Review: $16.6M in Rewards 

5 August 2024 at 03:00
We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program.

Announcing the CVRF API 3.0 upgrade

At the Microsoft Security Response Center, we are committed to continuously improving the security and performance of our services to meet the evolving needs of our customers. We are excited to announce the rollout of the latest version of our Common Vulnerability Reporting (CVRF) API. This update brings improvements in both security and performance, without requiring any changes to your existing invocation methods.

Microsoft Bug Bounty Program Year in Review: $13.8M in Rewards

7 August 2023 at 03:00
We are thrilled to share the results of our collaboration with over 345 security researchers from +45 countries around the world in the past 12 months. Together, we have discovered and fixed more than a thousand potential security issues before they impacted our customers. In recognition of this valuable collaboration, we have awarded $13.

postMessaged and Compromised

25 August 2025 at 03:00
At Microsoft, securing the ecosystem means more than just fixing bugs—it means proactively hunting for variant classes, identifying systemic weaknesses, and working across teams to protect customers before attackers ever get the chance. This blog highlights one such effort: a deep dive into the risks of misconfigured postMessage handlers across Microsoft services and how MSRC worked with engineering teams to mitigate them.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

10 October 2023 at 03:00
Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

Microsoft Bounty Program year in review: $17 million in rewards

5 August 2025 at 03:00
We’re thrilled to share that this year, the Microsoft Bounty Program has distributed $17 million to 344 security researchers from 59 countries, the highest total bounty awarded in the program’s history. In close collaboration with the Microsoft Security Response Center (MSRC), these security researchers have helped identify and resolve more than a thousand potential vulnerabilities, strengthening protections for Microsoft customers around the world.

Zero Day Quest: Join the largest hacking event with up to $5 million in total bounty awards

4 August 2025 at 03:00
Last year, we announced the largest hacking event in history: Zero Day Quest, with up to $4 million in bounty awards. The response from the global security community was incredible and helped improve security for our customers and partners. This year, Zero Day Quest is back with even more potential bounty awards: up to $5 million total for high-impact research in Cloud and AI security.

How Microsoft defends against indirect prompt injection attacks

Summary The growing adoption of large language models (LLMs) in enterprise workflows has introduced a new class of adversarial techniques: indirect prompt injection. Indirect prompt injection can be used against systems that leverage large language models (LLMs) to process untrusted data. Fundamentally, the risk is that an attacker could provide specially crafted data that the LLM misinterprets as instructions.

Customer guidance for SharePoint vulnerability CVE-2025-53770

Revision Change Date 1.0 Information published 07/19/25 2.0 Clarified affected SharePoint product in summary 07/20/25 Added fix availability guidance Provided additional protections guidance regarding: Upgrade SharePoint products to supported versions (if required) Install July 2025 Security Updates Rotate machine keys Updated Microsoft Defender detections and protections section: Documented additional MDE alerts Mapping exposure via Microsoft Defender Vulnerability Management Documented CVE-2025-53771 3.

Congratulations to the MSRC 2025 Most Valuable Security Researchers!

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers through discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report.

Congratulations to the top MSRC 2025 Q2 security researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2025 Q2 Security Researcher Leaderboard are wkai, Brad Schlintz (nmdhkr), and 0x140ce! Check out the full list of researchers recognized this quarter here.

Rising star: Meet Dylan, MSRC’s youngest security researcher

At just 13 years old, Dylan became the youngest security researcher to collaborate with the Microsoft Security Response Center (MSRC). His journey into cybersecurity is inspiring—rooted in curiosity, resilience, and a deep desire to make a difference. Early beginnings: From scratch to security Dylan’s fascination with technology began early. Like many kids, he started with Scratch—a visual programming language for making simple games and animations.

RedirectionGuard: Mitigating unsafe junction traversal in Windows

As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard.

Congratulations to the Top MSRC 2025 Q1 Security Researchers!

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2025 Q1 Security Researcher Leaderboard are 0x140ce, VictorV, Vaisha Bernard of Eye Security! Check out the full list of researchers recognized this quarter here.

Announcing the winners of the Adaptive Prompt Injection Challenge (LLMail-Inject)

14 March 2025 at 03:00
We are excited to announce the winners of LLMail-Inject, our first Adaptive Prompt Injection Challenge! The challenge ran from December 2024 until February 2025 and was featured as one of the four official competitions of the 3rd IEEE Conference on Secure and Trustworthy Machine Learning (IEEE SaTML). The overall aims of this challenge were to advance the state-of-the-art defenses against indirect prompt injection attacks and to broaden awareness of these new techniques.

Jailbreaking is (mostly) simpler than you think

13 March 2025 at 03:00
Content warning: This blog post contains discussions of sensitive topics. These subjects may be distressing or triggering for some readers. Reader discretion is advised. Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards.
❌
❌