How to report a security hole to Microsoft

Hixie helped me report a security hole to Opera. Then Hixie and his friends at the W3C Technical Plenary tried to help me report it to Microsoft, offering these suggestions:

  • "There's probably a form on"
  • "You report it to cnet."
  • "You break into Microsoft's systems using the exploit, and insert the bug into their bug system. Since you can only do that with security bugs, that filters out the non-security ones."

I think I reported the bug to Microsoft successfully. The language on Microsoft's form ("enchancement suggestion" and "wish" rather than "bug report") was discouraging, but I did get to check a box labeled "Security".

4 Responses to “How to report a security hole to Microsoft”

  1. Jan! Says:

    So the bug is in both Opera and IE, but not in Gecko-based browsers? Is it a serious one, as in: could it be exploited to make Bad Things happen?

    (PS: Please fix your tabindex order so I can tab from this textarea to the submit button)

    (Also, when previewing this comment, I got the followin error at the bottom of the page, under “Previous Comments”: “MT::App::Comments=HASH(0x81051bc) Use of uninitialized value in sprintf at lib/MT/Template/ line 1187.”)

  2. Paul Paradise Says:

    If you actually have a problem getting ahold of Microsoft for something important, don’t forget your friendly alumni. Given I work there, I can probably forward something along and get it noticed way more easily.


  3. hao2lian Says:

    Skywriting above the Redmond company usually works.

  4. Jesse Ruderman Says:

    I reported the hole using Microsoft’s wish form and did not get a response. I also reported it by e-mailing Paul and did not get a response. I finally got a response from Microsoft after reporting the hole using Microsoft Premier Support. I was not satisfied with the response, but at least I know that someone at Microsoft read it.

    Today I found, which says that the correct way to report a security hole is to e-mail I’ll try that next time I find a hole in IE.