This is the Trace Id: e0f09425bd56ad98e4674ba441f3de4e
Skip to main content
MSRC

Microsoft Security Testing Rules of Engagement

Unified Rules for Security Testing of Microsoft Online Assets

Microsoft values the contributions of the security community and appreciates their efforts in uncovering vulnerabilities and enhancing the safety of our systems. With collaboration and alignment, we can ensure the most effective protection for customers while fostering a secure digital environment.

For more information on how researchers are protected when participating in our programs, please refer to the Safe Harbor Policy.

 

PURPOSE

The following guidelines present a cohesive framework for all forms of security testing—including, penetration testing, vulnerability scanning, and security research—performed on Microsoft Online Assets (as defined below). This document outlines the unified rules (“Rules of Engagement”) for individuals and entities aiming to perform security testing against Microsoft Online Assets. The rules are designed to clarify acceptable practices, minimize unintended harm, and encourage responsible conduct while safeguarding Microsoft’s infrastructure and customer data.

For purposes of this document, “you” is defined as the owner of the resources or their authorized agents, such as third-party security consultancies. The rules of engagement apply equally to the owner of the resource and their duly authorized agents.

Microsoft may, at our discretion, interrupt attacks in progress by you or your agents regardless of whether or not they are part of a valid test.

 

DEFINITIONS

To ensure clarity and a shared understanding, the following definitions apply:

  • Coordinated Vulnerability Disclosure: A practice where researchers privately report new vulnerabilities to vendors, allowing them to diagnose and fix issues before public disclosure, ensuring timely and consistent protection for customers.
  • Security Testing: Includes activities such as penetration testing, vulnerability scanning, and security research aimed at identifying weaknesses in Microsoft systems.
    • Penetration Testing: A proactive cybersecurity measure where authorized security experts simulate real-world attacks to identify and exploit vulnerabilities in a system. The primary goal is to uncover weaknesses so they can be remediated before malicious actors can exploit them.
    • Vulnerability Scanning: The process of using automated tools to detect and report known vulnerabilities in a system or network, helping to maintain security by identifying potential threats.
    • Security Research: The practice of investigating and analyzing systems, software, and networks to uncover vulnerabilities, understand security flaws, and contribute to the development of safer technology.
    • Bug Bounty: A Microsoft program to recognize and/or reward security researchers for identifying and reporting valid vulnerabilities in predefined targeted areas.

 

RULES OF ENGAGEMENT

These rules are designed to enable responsible security testing of Microsoft Online Assets without causing harm to Microsoft systems, customers, or other stakeholders.

 

SCOPE

For the purposes of these Rules of Engagement, "Microsoft Online Assets" encompass all products, services, and infrastructure owned or managed by Microsoft. This includes, but is not limited to, various cloud services, productivity tools, security solutions, artificial intelligence services, and enterprise applications. These assets are integral to Microsoft's ecosystem and are designed to provide comprehensive solutions for identity management, collaboration, data protection, business operations, and more.

For LinkedIn, GitHub, and Activision Blizzard, Inc., please visit their official website for reporting vulnerabilities or contact their security team for more information. 

 

REPORTING SECURITY ISSUES

If, during security testing, you discover a potential vulnerability in Microsoft Online Assets, please follow the provided instructions on how to validate your findings and submit them to the Microsoft Security Response Center (MSRC). Ensure that all vulnerability reports adhere to the Coordinated Vulnerability Disclosure principles.

If you accidentally access any data you do not have rights to, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any vulnerability report. Do not share the accessed information.

Microsoft offers bug bounty awards and recognition for many types of security vulnerabilities. If you would like to be considered for a bounty award, ensure your submission aligns with our published bug bounty scope, and bounty terms and conditions.

 

PROHIBITED ACTIVITIES

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited. Specific prohibited activities include but are not limited to:

  • Accessing customer or Microsoft data and testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
    • Example: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
  • Using credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
  • Interacting with storage accounts that are not part of your subscription or that you do not own.
  • Performing denial-of-service testing.
  • Executing network-intensive fuzzing or automated testing that generates excessive traffic.
  • Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Expanded examples of prohibited activities include:

  • Attempting to access, scan or test the security of a Microsoft Azure tenant, system logs or databases that you do not own or have explicit permission to test.
  • Launching a flood attack on Microsoft servers to test their resilience, causing legitimate users to experience service outages.
  • Executing harmful scripts or commands beyond proof-of-concept demonstrations. This includes all post-exploit actions such as enumerating internal networks/files, dumping secrets, executing additional code, lateral movement, and pivoting.

 

ENCOURAGED ACTIVITIES

We encourage the following security testing practices:

  • Creating test accounts or trial tenants to evaluate cross-account or cross-tenant security scenarios.
  • Performing fuzzing, port scanning, or vulnerability assessments on your own Azure Virtual Machines.
    • Example: These activities are allowed on your own Azure Virtual Machines as long as they are within your own assets and permissions.
  • Generating traffic to test surge capacity within your applications.
  • Testing your tenant’s security monitoring and detection systems (e.g., anomalous logs, EICAR files).
  • Evaluating conditional access or mobile application management (MAM) policies on Microsoft Intune.
  • Attempting to break out of shared service containers like Azure Websites or Azure Functions, provided responsible reporting and immediate cessation upon success.
  • Attempting to break out of AI system boundaries. This includes, without limitation, bypassing restrictions in the system prompt.

Expanded examples of encouraged activities:

  • Simulating high traffic loads on your web application hosted on Azure to evaluate its performance and scalability under peak conditions.
  • Testing the isolation mechanisms of Azure Functions to ensure that code running in one function cannot interfere with another and responsibly reporting any findings.
  • Testing the robustness of AI models by attempting to bypass restrictions or prompts, and reporting any vulnerabilities discovered.

 

Your use of Microsoft's services remains subject to the terms and conditions under which they were purchased. Violation of these Rules of Engagement or applicable service terms may result in suspension or termination of your account or services, or legal action as set forth in the Microsoft Product Terms. Microsoft reserves the right to respond to any actions that appear malicious, regardless of intent.

By adhering to these unified Rules of Engagement, security researchers and customers can contribute meaningfully to a safer digital ecosystem while minimizing risks and ensuring compliance with Microsoft's standards.