Earlier this year, I’ve reported 7 XSS flaws on different pages of the Dutch MSN Entertainment site to the Microsoft Security Response Center (MSRC case #14103cl) and immediately received a response – not as fast as HP did previously on my HP IMC flaw – but still very fast ;-).


In contrast to Google or Facebook, Microsoft does not provide any kind of bugbounty program – they’d probably lose too much money with such a program 😀 – just joking!

Instead of this, they provide something which is called “Security Researcher Acknowledgments for Microsoft Online Services” on a monthly basis, where they add security researchers who have responsible disclosed valuable and not-yet-found-and-reported flaws in their online services. Btw: Unfortunately, one of my reported flaws has not been credited by Microsoft, since it’s been previously disclosed by someone else. Anyways, great to read my name on the May 2013 list – fits perfectly on my cv 🙂