The measures involved in the review of vulnerability reports have been outlined by Microsoft, so that reporting researchers know what to expect when sending details on a problem.
The first thing researches need to do, the company states, is to ensure that the problem they have found actually counts as a security problem, and then then to head over to Microsoft’s Researcher Portal to request a report.
The gateway, the tech company states, offers security researchers with a safe and directed way to exchange all the necessary information needed to replicate and locate a patch for an identified vulnerability. Each weakness should have a report of its own.
You will also be directed by the portal to find out what extra details you need to compose a high-quality paper. Your researcher ‘s credibility will be helped by high-quality results, and if your work qualifies for one of our bounty programme awards, you will even earn a higher incentive number, states Microsoft.
Microsoft workers will triage it after a report has been submitted, determine whether it truly outlines a safety flaw and delegate it to the appropriate software technical team. A case number would only be given for security bugs that follow Microsoft’s maintenance requirements.
The organisation next determines the magnitude and effect of bugs that can be replicated, and then the detail is forwarded to product engineering for further intervention. If a study is marked as ‘ New ‘in the Researcher Portal during triage and case assignment, its state is changed to ‘ Review / Repro’ at the next stage, and the reporter is notified by email, Microsoft says.
“Depending on the severity of the topic and the completeness of the submission, this process will take some time. When the case progresses to the production level, you can get an update, and this may take up to one to two weeks, sometimes fewer and sometimes more. If you do not hear back from us within two weeks, please search your junk folder before reaching out to us, ”the tech firm notes.
Microsoft further describes that, for bugs that its workers agree can be resolved by urgent servicing, a patch would be created and made available in collaboration with the release teams. In this situation, the report’s role in the Researcher Repository is changed to ‘Create’.
The bounty team is evaluating the application at this point to decide whether it is worthy for an award. If the storey qualifies for a bug bounty payout, the reporter is told by email. Researchers are expected to provide an account with one of the payment processors for the Microsoft Bounty Schemes, to earn their reward.
When a patch is being planned for publication, the report’s state shifts to ‘Release’. The patch is normally included with the Upgrade Tuesday release, or other service changes. Once a patch has been carried out, the report’s status updates to ‘Complete’, Microsoft says.