Example Report Submissions to the MSRC
Report quality definitions for Microsoft’s Bug Bounty programs
Microsoft strives to address reported vulnerabilities as quickly as possible. One of the factors that influences the time to address a vulnerability is how long it takes to assess the root cause, severity, and impact of the vulnerability. In practice, the amount of time it takes Microsoft to assess a vulnerability is heavily influenced by the quality of the information provided with a vulnerability report.
To help security researchers better understand the information we need to accelerate the assessment of a vulnerability, we’ve defined three quality levels for a vulnerability report: low, medium, and high. These quality levels are summarized in the table below. We encourage everyone to provide high quality reports whenever possible and our bounty programs typically incentivize this by offering higher rewards for higher quality reports.
While we prefer high quality reports, we always want to learn about vulnerabilities that affect Microsoft, so we encourage researchers to report vulnerabilities even if they are not able to provide the highest level of quality.
Quality | Description | Information Required |
---|---|---|
Low |
A low quality vulnerability report provides sufficient information to reproduce the vulnerability but does not include a reliable proof of concept.
|
|
Medium |
A medium quality vulnerability report improves upon a low quality report by providing a proof of concept that is reliable and minimized.
|
|
High |
A high quality vulnerability report improves upon a medium quality report by providing a detailed and correct analysis of the vulnerability.
|
|
Explanation of information required
Information | Explantion |
---|---|
Type of vulnerability |
A classification of the type of vulnerability being reported, such as Use After Free, Cross-Site Scripting, and so on. For examples of vulnerability types, it may be helpful to refer to https://nvd.nist.gov/vuln/categories.
|
Affected Component |
The component or service that is affected by the vulnerability. This should include the component’s name and any relevant version information.
|
Affected target environment |
The target environment that is affected by the vulnerability, such as the operating system or application that is affected. This should include a description of the target environment, including its name and any relevant version information. For Windows targets, this should include the BuildLabEx string which can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx |
Vulnerability reproduction output |
The output from a successful reproduction of the vulnerability. This could consist of debugger output, a screenshot, a video, or some other format that demonstrates a reproduction of the issue. More detailed information like debugger output is preferred.
|
Proof-of-concept |
A description of the vulnerability in the form of text, code, or other form depending on the nature of the vulnerability. This description should include all steps required to trigger the vulnerability. Any information about how the target needs to be configured to trigger the vulnerability should also be included.
|
Reliable & minimized proof-of-concept |
A proof-of-concept that reproduces the vulnerability automatically (e.g. with code) when applicable. This proof-of-concept should:
|
Detailed & correct analysis |
This analysis should correctly describe how each part of the proof-of-concept affects the target in terms of triggering the vulnerability. In addition, the analysis should include information about how timing, environment, or other constraints affect successfully triggering the vulnerability. This analysis should also describe the root cause of the vulnerability, to the degree possible.
|
High Quality Report Example
Windows:
Platform:
Class:
Bounty Program:
Summary:
Description:
Proof of Concept:
poc.exe c:\users\user\appdata\local\low\abc c:\notreal.
Expected Result:
Observed Result:
Low Quality Report Example
# win32kfull!NtGdiHLSurfGetInformation+0x11f kernel info leak