Jeremy Tinder

We’re excited to announce the scope of the Microsoft AI Bounty Program has expanded to include new vulnerability types for Critical and Important cases, with awards up to $30,000. New vulnerability types: - Deserialization of Untrusted Data - Injection (Code Injection) - Authentication Issues - Injection (SQL Injection and Command Injection) - Server-Side Request Forgery (SSRF) - Improper Access Control - Cross Site Scripting (XSS) - Cross-Site Request Forgery (CSRF) - Web Security Misconfiguration - Cross Origin Access Issues - Improper Input Validation Learn more on the AI Bounty Program page: microsoft.com/en-us/msrc/bou…

Congratulations to all the researchers recognized in this quarter’s MSRC 2024 Q4 Security Researcher Leaderboard! 🎉Thanks to all the researchers who partnered with us for your hard work and continued dedication to securing our customers. Learn more in our blog post: msrc.microsoft.com/blog/2025/01/c… We also want to recognize the top 10 researchers in the leaderboard: 🥇Suresh Chelladurai 🥈VictorV @vv474172261 🥉wkai Anonymous Dhiral Patel @dhiralpatel94 200D8A8F3C82E9097370B6831725C80B Alireza Amirheidari Adnan Unpatched.ai ycdxsb #cybersecurity #securityresearch #bugbounty

Join MSRC and special guest Scott Gorlick, Principal Security Architect at Microsoft, next week for a virtual session on Security Research in Copilot Studio. The Copilot ecosystem allows enterprises to develop Copilot Agents using resources and integrations that span services in Microsoft and systems owned by the customer outside the Microsoft ecosystem. Demonstrating the architecture, governance controls, and other service capabilities will help focus security research and increase the fidelity of vulnerability reports. 🗓️ Date: Wednesday, January 22nd 🕙 Time: 10 – 11 AM PST Register now: microsoft.eventsair.com/security-resea…

As part of our Secure Future Initiative and to further the security of our customers, ourselves, and the world, today we are introducing the most transparent security research event in history: The Zero Day Quest. This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI. Starting today, the quest kicks off with a research challenge where vulnerability submissions in targeted scenarios are eligible for multiplied bounty awards. Submissions can also qualify researchers for a spot in the onsite hacking event in Redmond, WA, in 2025. Learn more in our blog post:  msrc.microsoft.com/blog/2024/11/s… #ZeroDayQuest

We’re excited to introduce our #BlueHat lightning session speakers! Ayobami Olatunji (@ayam_mayowa) from Microsoft will present “SafeChatAI: Enhancing Cybersecurity Awareness Using Artificial Intelligence.” Ayobami is a Security PM in Isolation Platform at Microsoft. He’s focusing on ensuring users security assurance on Windows platform and leveraging various technologies like AI/ML to stay ahead of cyber threats. Ayobami is also an enthusiastic community builder, always eager to learn and share knowledge. He’s helped establish IT/Security clubs at both the University of Ilorin and Western Illinois University, creating spaces for students to grow and explore the world of technology together. Susan Krkasharian from Microsoft will present “A Security Engineer’s Journey: Creating a Developer-Friendly Security.” Susan started at Microsoft as an intern and moved to a full-time role after earning her Computer Science degree from UCLA. She has been with the DevSec team for over four years, during which she also completed her MBA at the University of Southern California. During her time at Microsoft as a security software engineer, Susan has developed effective strategies for preventing, detecting, and mitigating SSRF vulnerabilities. Zachary Steindler from Microsoft will present “Lessons Learned: Scaling Out Securing Open Source.” Zach is the chair of the OpenSSF's Technical Advisory Council and co-chair of the Securing Repositories Working Group which helps coordinate security improvements in programming language package repositories like PyPI and Ruby Gems. In early 2024 he co-published "Principles for Package Repository Security" with US CISA. He works at GitHub on securing software development for open source and enterprises. Yves Younan from Cisco Talos will present “Entitlements on macOS and why they matter.” Yves leads the Vulnerability Discovery & Research team within the Talos Security Intelligence and Research Group at Cisco. Prior to joining Sourcefire's Vulnerability Research Team, he worked as a Security Researcher with BlackBerry Security. Before joining BlackBerry, he was an academic, founding the Native Code Security group within the DistriNet research group at the Katholieke Universiteit Leuven in Belgium. He received a Master in Computer Science from the Vrije Universiteit Brussel and a PhD in Computer Science from the Katholieke Universiteit Leuven. His PhD focussed on mitigations against memory corruption vulnerabilities.

This evening, we kicked off BlueHat with a welcome reception, bringing together our speakers, MSRC MVRs, Microsoft leadership, and the MSRC team. A huge thank you to everyone who joined us and contributed to setting the stage for a successful #BlueHat!

Microsoft was proud to sponsor the Cybersecurity Woman of the Year Awards 2024. Congratulations to all the winners and nominees, including Eva Benn, Senior Security Program Manager on the Microsoft Red Team, who was a finalist for the “People’s Choice” Award. The CSWY Awards celebrate outstanding female cybersecurity professionals making a significant impact through their dedication and expertise. Additionally, Sherrod DeGrippo @sherrod_im, Director of Threat Intelligence Strategy at Microsoft @msftsecintel, shared career guidance during her keynote: “Knowing what you want is key to getting what you want. Everything you want is yours to take.” She also revealed her mantra for overcoming challenging career situations, especially when facing fears like speaking on stage in front of thousands: “Do it scared, but do it.” @KarmenINTL #CSWY2024

The Microsoft Researcher Recognition Program offers public thanks and recognition to security researchers who help protect our customers by discovering and sharing security vulnerabilities under Coordinated Vulnerability Disclosure. Today, we are excited to recognize this year’s 100 Most Valuable Researchers (MVRs), based on the total number of points earned for each valid report. Please join us in celebrating this year’s MVRs, including our top 10: 1. 🥇 Yuki Chen @guhe120 2. 🥈Wei @XiaoWei___ 3. 🥉VictorV @vv474172261 4. Suresh Chelladurai 5. Dhiral Patel @dhiralpatel94 6. Erik Donker @kire_devs_hacks 7. Nutesh Surana @_niteshsurana working with Trend Micro Zero Day Initiative @thezdi 8. Anonymous 9. Tzah Pahima @TzahPahima 10. wkai See the full list of this year’s 100 MVRs, in addition to our Azure, Office, Windows, and Dynamics 365 leaderboards: msrc.microsoft.com/blog/2024/08/c… #bugbounty #infosec

MSRC has just published a blog post for Microsoft's response to CVE-2021-44228 Apache Log4j 2 msrc-blog.microsoft.com/2021/12/11/mic…

Come and join us!

@blowdart Hope you feel better Barry.

@AtomicGaryBusey @thechrisharrod @CristinGoodwin @PetitoHead We chatted about it actually! Needs to pass legal and HR review though! 😂

@thechrisharrod @CristinGoodwin @PetitoHead Need to convince @tinderj_ to put naming rights up on the Give auction next year. :D

Someone in the family has hacked our soccer team chat app and changed my screen name but I’m not sure who is guilty. Opening SSIRP bridge now, investigation underway.

I find watching crazy weather like this akin to watching a fire. It’s a bit mesmerizing and relaxing.

I've been happily learning about machine learning. Impressed how easy it was to get up and running. Took Azure Cognitive Services for a spin. microsoft.com/en-us/ai/ai-sc…

What good is @dish if I don’t have NBC and Sunday night football? First Fox, now NBC? I’m seriously reconsidering my service now.

Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community #MSTIC #AzureSentinel techcommunity.microsoft.com/t5/azure-senti…

See more information on the Microsoft OMI CVEs in the MSRC blog post: msrc-blog.microsoft.com/2021/09/16/add…

Released clarifying guidance regarding CVE-2021-34527. Customers should check their registry settings in addition to applying the security update.

Exchange updates release today. Please prioritize patching any publicly exposed Exchange servers exposed to the Internet.

Security Updates for February 2021 are now available!. Details are here: msrc.microsoft.com/update-guide/ Important: Microsoft released Windows Updates for multiple TCP/IP vulnerabilities today. See this blog for more details about these issues: aka.ms/tcpipvulns