2

I know that if you discover a vulnerability in a open source product you have the option of fixing it yourself, creating a bug report or other methods to prove that you have contributed to the internet (read society if you like) as a whole in some way.

If I have found a vulnerability and submit it to Microsoft (and they have recognized it as such) is there a similar way I can prove that I indeed provided information. If so what is this method: Email/link on Microsoft site/good guy letter.

To avoid this question become a discussion (and getting closed immediately) please limit your responses to the following criteria:

  • Please assume responsible disclosure as defined: Is there a “standard” to reporting security vulnerabilities that we can use? using @void_in 's answer
  • Please no ethical discussions (while important, I am not asking here)
  • If it helps you frame the question this would be in regard to proof for a resume/CV
  • Timing is not an issue. I would assume that nothing would happen until at least a patch Tuesday update
Community
  • 1
DarkSheep
  • 333
  • 2
  • 13

1 Answers1

6

Yes! Microsoft's policy seems to be that if you report the vulnerability to them responsibly, you'll get a mention in the acknowledgments section of security bulletins. I would also expect some back and forth correspondence on the issue that you could keep as further proof.

When you see a security professional acknowledged in a Microsoft Security Bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the patch, and helped us disseminate information about it once the threat was eliminated. They minimized the threat to customers everywhere by ensuring that Microsoft could fix the problem before malicious users even knew it existed.

The acknowledgements section does indeed include considerable detail, naming individuals and organizations. For example, the October 2013 bulletin mentions (among others):

  • xxxx.xxxx@gmail.com, working with HP's Zero Day Initiative, for reporting the Internet Explorer Memory Corruption Vulnerability (CVE-2013-3872)

It would certainly look very good on your CV!

Adi
  • 44,095
  • 16
  • 138
  • 170
scuzzy-delta
  • 9,343
  • 3
  • 36
  • 55