Microsoft Security Testing Rules of Engagement (original) (raw)

Microsoft values the contributions of the security community and appreciates their efforts in uncovering vulnerabilities and enhancing the safety of our systems. With collaboration and alignment, we can ensure the most effective protection for customers while fostering a secure digital environment.

PURPOSE

The following guidelines present a cohesive framework for all forms of security testing—including penetration testing, vulnerability scanning, and security research—performed on Microsoft Online Assets (as defined below). This document outlines the unified rules (“Rules of Engagement”) for individuals and entities aiming to perform security testing against Microsoft Online Assets. The rules are designed to clarify acceptable practices, minimize unintended harm, and encourage responsible conduct while safeguarding Microsoft’s infrastructure and customer data.

For purposes of this document, “you” is defined as any individual or entity conducting security testing, including the owner of the resources, external researchers participating in programs such as bug bounty, or their authorized agents, such as third-party security consultancies. The rules of engagement apply equally to the owner of the resource and their duly authorized agents.

Microsoft may, at our discretion, interrupt attacks in progress by you or your agents regardless of whether or not they are part of a valid test.

DEFINITIONS

To ensure clarity and a shared understanding, the following definitions apply:

• Coordinated Vulnerability Disclosure: A practice where researchers privately report new vulnerabilities to vendors, allowing vendors to diagnose and fix issues before public disclosure, ensuring timely and consistent protection for customers.
• Security Testing: Includes activities such as penetration testing, vulnerability scanning, and security research aimed at identifying weaknesses in Microsoft systems.
  • Penetration Testing: A proactive cybersecurity measure where authorized security experts simulate real-world attacks to identify and exploit vulnerabilities in a system. The primary goal is to uncover weaknesses so they can be remediated before malicious actors can exploit them.
  • Vulnerability Scanning: The process of using automated tools to detect and report known vulnerabilities in a system or network, helping to maintain security by identifying potential threats.
  • Security Research: The practice of investigating and analyzing systems, software, and networks to uncover vulnerabilities, understand security flaws, and contribute to the development of safer technology.
  • Bug Bounty: A Microsoft program to recognize and/or reward security researchers for identifying and reporting valid vulnerabilities in predefined targeted areas.

RULES OF ENGAGEMENT

These rules are designed to enable responsible security testing of Microsoft Online Assets without causing harm to Microsoft systems, customers, or other stakeholders.

SCOPE

For the purposes of these Rules of Engagement, "Microsoft Online Assets" encompass all products, services, and infrastructure owned or managed by Microsoft. This includes, but is not limited to, various cloud services, productivity tools, security solutions, artificial intelligence services, and enterprise applications. These assets are integral to Microsoft's ecosystem and are designed to provide comprehensive solutions for identity management, collaboration, data protection, business operations, and more.

LinkedIn, GitHub, and Activision Blizzard, Inc. have their own processes for reporting security vulnerabilities and are beyond the scope of these Rules of Engagement. Please visit their official websites or contact their security teams for more information: LinkedIn, GitHub, Activision Blizzard, Inc.

REPORTING SECURITY ISSUES

If, during security testing, you discover a potential vulnerability in Microsoft Online Assets, please follow the provided instructions on how to validate your findings and submit them to the Microsoft Security Response Center (MSRC). Ensure that all vulnerability reports adhere to the Coordinated Vulnerability Disclosure principles.

If you accidentally access any data that you do not have rights to, stop immediately. Notify MSRC with the details, delete the data, and acknowledge this in any vulnerability report. Do not share the accessed information.

Microsoft offers bug bounty awards and recognition for many types of security vulnerabilities. If you would like to be considered for a bounty award, ensure your submission aligns with our published bug bounty scope and bounty terms and conditions.

PROHIBITED ACTIVITIES

Microsoft encourages responsible discovery and reporting of security vulnerabilities in Microsoft Online Services. Once identified, a vulnerability must be reported immediately through the Research Portal. Any further actions that leverage the discovered vulnerability, beyond initial proof of concept, are strictly prohibited.

Engaging in the disruption, compromise, access, storage, or damage of data or property without explicit written consent from the owner, or adversely affecting Microsoft services for other users, is strictly prohibited. Specific prohibited activities include but are not limited to:

• Accessing customer or Microsoft data or testing customer systems without explicit permission: Any interaction with data or systems that you do not own or have explicit permission to access is prohibited. This includes accessing customer data, Microsoft data, or testing systems that belong to customers.
  • Example: Extracting training data, model architectures, model weights, training code, customer documents, metadata, names, configuration files, system logs, or any other unauthorized data.
• Using, accessing, or retrieving credentials or other secrets that are not your own. This includes any credentials or secrets that you do not own, regardless of how they are obtained, including those that were leaked publicly.
• Interacting with storage accounts that are not part of your subscription or that you do not own.
• Performing Denial-of-service testing.
• Executing network-intensive fuzzing or automated testing that generates excessive traffic.
• Conducting phishing or social engineering attacks targeting Microsoft employees or using Microsoft services to perform phishing or other social engineering attacks against others.

Expanded examples of prohibited activities include:

• Distributed Denial-of-service (DDoS) attacks are strictly prohibited under all circumstances.
• Attempting to access, scan, or test the security of a Microsoft Azure tenant, system logs, or databases that you do not own or have explicit permission to test.
• Launching a flood attack on Microsoft servers to test their resilience, causing legitimate users to experience service outages.
• Executing any post-compromise or post-exploit actions, such as enumerating internal networks/files, dumping secrets, executing additional code, performing lateral movement, or pivoting, is strictly prohibited.

ENCOURAGED ACTIVITIES

We encourage the following security testing practices:

• Creating test accounts or trial tenants to evaluate cross-account or cross-tenant security scenarios.
• Performing fuzzing, port scanning, or vulnerability assessments on your own Azure Virtual Machines.
  • Example: These activities are allowed on your own Azure Virtual Machines as long as they are within your own assets and permissions.
• Generating traffic to test surge capacity within your applications.
• Testing your tenant’s security monitoring and detection systems (e.g., anomalous logs, EICAR files).
• Evaluating conditional access or mobile application management (MAM) policies on Microsoft Intune.
• Attempting to break out of shared service containers like Azure Websites or Azure Functions, provided responsible reporting and immediate cessation upon success.
• Attempting to break out of AI system boundaries. This includes, without limitation, bypassing restrictions in the system prompt.
• All encouraged testing activities must be performed within your own tenant or assets for which you have explicit authorization.

Any action that leverages a discovered vulnerability beyond initial identification and reporting is prohibited. Expanded examples of encouraged activities:

• Simulating high traffic loads on your web application hosted on Azure to evaluate
• performance and scalability under peak conditions.
• Testing the isolation mechanisms of Azure Functions to ensure that code running in one function cannot interfere with another, and responsibly reporting any findings.
• Testing the robustness of AI models by attempting to bypass restrictions or prompts, and reporting any vulnerabilities discovered.

Your use of Microsoft's services remains subject to the terms and conditions under which those services were purchased. Violation of these Rules of Engagement or applicable service terms may result in suspension or termination of your account or services, or legal action as set forth in the Microsoft Product Terms. Please note, however, that Microsoft offers a Bounty Legal Safe Harbor for individuals engaged in good faith security testing. Microsoft reserves the right to respond to any actions that appear malicious, regardless of intent.

By adhering to these unified Rules of Engagement, security researchers and customers can contribute meaningfully to a safer digital ecosystem while minimizing risks and ensuring compliance with Microsoft's standards.