Microsoft takes the security of our software products and services seriously, including all open source projects.

If you believe you have found a security vulnerability in this repository, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues. Instead, please report them to the Microsoft Security Response Center (MSRC).

You can report security issues to MSRC at https://msrc.microsoft.com/create-report.

If you prefer to submit without logging in, send email to secure@microsoft.com. If possible, encrypt your message with our PGP key:

PGP key: https://www.microsoft.com/en-us/msrc/pgp-key-msrc
MSRC public key (fingerprint): C1A6 A0F9 0F5E 2D58 7E94 5BB6 9C5D 4F3C 6F2D 7F89

Please provide as much of the following as you can to help us reproduce and triage the issue:

• Detailed description of the vulnerability
• Steps to reproduce / proof-of-concept
• Impact assessment (what could an attacker achieve)
• Affected commit / version / configuration
• Any relevant logs, stack traces, or screenshots

MSRC will review the report and contact you for additional information if needed. You will receive a tracking identifier. Once the investigation is complete, we will coordinate public disclosure with you as appropriate.

We prefer reports in English, but we will try to accommodate submissions in other languages.

Microsoft supports safe harbor for security researchers who:

1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
2. Do not exploit a vulnerability beyond the minimum extent necessary to demonstrate it.
3. Do not publicly disclose the vulnerability details before we have had a reasonable opportunity to fix it.

This policy applies to the code and assets in this repository. For other Microsoft online services or products, please refer to the broader Microsoft Vulnerability Disclosure Program: https://aka.ms/vdp.

If your issue is not security-related (e.g., a bug, feature request, or performance concern), please open a normal GitHub issue instead of using the MSRC process.

If the vulnerability is in a third-party dependency, please identify the component and version. We may redirect you or coordinate with upstream maintainers.

This repository should not contain production credentials, API keys, or secrets. If you discover exposed secrets, rotate them immediately through your internal process and then file a private issue or MSRC report if exploitation risk exists.

We appreciate researchers who responsibly disclose vulnerabilities and help us keep users safe. Where applicable, issues may qualify for Microsoft’s bug bounty programs: https://aka.ms/bugbounty.

Primary channel: https://msrc.microsoft.com/create-report
Alternate (email): secure@microsoft.com
PGP key: https://www.microsoft.com/en-us/msrc/pgp-key-msrc

Thank you for helping keep this project and its users secure.