This Thursday, many people in the United States will celebrate Thanksgiving. As you probably all know, this is traditionally seen as a time to express gratitude. Well, yesterday, we updated our “Security Researcher Acknowledgments for Microsoft Online Services” page to publicly say “thank-you” to researchers that reported issues in our online services to us for the month of October.

This page doesn’t get a whole lot of attention, at least not as much as our security bulletins, but a quick look shows there’s a large, valuable and active community working with us to help secure our online services.

We launched this page in July of 2007. Since then, we’ve provided over 150 public acknowledgments of our appreciation. We’ve linked to sites researchers have provided so folks could learn more about them and their services. And we update this page each month as new researchers are discovered and new issues are fixed.

We’ve got a full archive of all the researchers listed on Security TechCenter’s “Community” Web page as well as a Frequently Asked Questions page about how we acknowledge researchers who find issues in online services. Here are a couple key questions that are answered on this page:

Q: Why are you acknowledging online services security researchers?

We want online services security researchers to know that we respect and appreciate their contribution to the security of Microsoft’s Web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats.

Q: Why do you not recognize online services security researchers via bulletins?

Security bulletins are a "call-to-action" from the Microsoft Security Response Center and generally include mitigations, workarounds, and vulnerability details that customers can use to help protect themselves. They also include security update information that will help customers verify their status. Because Microsoft fixes online services vulnerabilities on our side, there is generally no call-to-action for customers and generally no security bulletin.

Q: Will Microsoft take legal action against those who submit online services security vulnerabilities?

Microsoft will not pursue legal action against security researchers that responsibly submit potential online services security vulnerabilities.

That last one is particularly important, as a few weeks ago an individual found an issue with Bing Cashback that prompted a letter from our legal services team. This was due to the fact that an actual fraudulent transaction occurred. However, as demonstrated above, letters from our legal team are not the experience most researchers have when reporting vulnerabilities to us in our products (online or otherwise), even when reporting them publicly. Reporting vulnerabilities to vendors, especially for new researchers, can be intimidating. So the easiest way to avoid any confusion is to submit potential vulnerabilities to secure@microsoft.com directly, and we’ll start a dialog to work on the issue together.

The main reason we created this page is we wanted to let online services security researchers know that we respect and appreciate their contribution to the security of Microsoft’s Web properties. We appreciate any researcher who responsibly submits vulnerabilities, which helps protect customers from security threats. There’s likely a lot more that folks think we should do to credit the researcher community for their work. This is an area that results in a lot of discussion within the community, within our halls, and on the blogosphere. Hopefully, our track record shows we understand the importance of saying “thank you” to folks who responsibly report vulnerabilities —both with the Security Researcher Acknowledgments for Microsoft Online Services site above and in our Security Bulletins themselves.

Thanks,

Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights.*