The ds team takes the security of our software products and services seriously.
If you believe you have found a security vulnerability in ds that meets Microsoft's definition of a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them to the ds team privately on GitHub.
You should receive a response within 24 hours. If for some reason you do not, please follow up via another message to ensure we received your original message.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, please know beforehand that this is a non-profit Free and Open Source Software (FOSS) that accepts donations, and we can not guarantee a bounty. We, however, can vouch for you and your skills, in a written format, for your contribution (in any form).
We humbly request you not to stop reporting (and fixing, if you were initially going to) security vulnerabilities due to the lack of guarantee for bounties. We would love your security patches to any vulnerabilities.
We prefer all communications to be in English (US).
The ds team follows the following principle of Coordinated Vulnerability Disclosure.
Under the principle of Coordinated Vulnerability Disclosure, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on CVD, please review the information provided in the following links: