A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Our security acknowledgements page 
Acknowledgments: https://msrc.microsoft.com/update-guide/acknowledgement

# Canonical URI 
Canonical: https://www.microsoft.com/.well-known/security.txt

# Our Researcher Portal  
Contact: https://msrc.microsoft.com/report/vulnerability/new

# Our email address 
Contact: mailto:secure@microsoft.com

# Our PGP Key 
Encryption: https://www.microsoft.com/en-us/msrc/pgp-key-msrc

Expires: 2025-10-10T16:00:00.000Z

# Our Bounty policy 
Policy: https://www.microsoft.com/en-us/msrc/bounty/

# Our Coordinated Vulnerability Disclosure Policy 
Policy: https://www.microsoft.com/en-us/msrc/cvd
 
# Our Bounty Legal Safe Harbor Policy 
Policy: https://www.microsoft.com/en-us/msrc/bounty-safe-harbor

# Our Common Security Advisory Framework (CSAF) publications
CSAF: https://msrc.microsoft.com/csaf/provider-metadata.json

Preferred-Languages: en