« NeonGecko’s demo
Racist vandalism at the Claremont Colleges »

How to report a security hole to Microsoft

Hixie helped me report a security hole to Opera. Then Hixie and his friends at the W3C Technical Plenary tried to help me report it to Microsoft, offering these suggestions:

  • "There's probably a form on microsoft.com/ie."
  • "You report it to cnet."
  • "You break into Microsoft's systems using the exploit, and insert the bug into their bug system. Since you can only do that with security bugs, that filters out the non-security ones."

I think I reported the bug to Microsoft successfully. The language on Microsoft's form ("enchancement suggestion" and "wish" rather than "bug report") was discouraging, but I did get to check a box labeled "Security".

This entry was posted on Wednesday, March 10th, 2004 at 12:59 am and is filed under Mozilla, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

4 Responses to “How to report a security hole to Microsoft”

  1. Jan! Says:
    March 10th, 2004 at 4:56 am

    So the bug is in both Opera and IE, but not in Gecko-based browsers? Is it a serious one, as in: could it be exploited to make Bad Things happen?

    (PS: Please fix your tabindex order so I can tab from this textarea to the submit button)

    (Also, when previewing this comment, I got the followin error at the bottom of the page, under “Previous Comments”: “MT::App::Comments=HASH(0x81051bc) Use of uninitialized value in sprintf at lib/MT/Template/Context.pm line 1187.”)

  2. Paul Paradise Says:
    March 11th, 2004 at 10:18 am

    If you actually have a problem getting ahold of Microsoft for something important, don’t forget your friendly alumni. Given I work there, I can probably forward something along and get it noticed way more easily.

    -Paul

  3. hao2lian Says:
    March 15th, 2004 at 9:03 am

    Skywriting above the Redmond company usually works.

  4. Jesse Ruderman Says:
    July 1st, 2004 at 1:43 pm

    I reported the hole using Microsoft’s wish form and did not get a response. I also reported it by e-mailing Paul and did not get a response. I finally got a response from Microsoft after reporting the hole using Microsoft Premier Support. I was not satisfied with the response, but at least I know that someone at Microsoft read it.

    Today I found http://channel9.msdn.com/ShowPost.aspx?PostID=11308, which says that the correct way to report a security hole is to e-mail secure@microsoft.com. I’ll try that next time I find a hole in IE.