Bug Bounties
Microsoft (bounty programs)

Microsoft (bounty programs)

Top 100 site
technet.microsoft.com → Homepage Contact
Partial Safe Harbor

Known Exploited Vulnerabilities 377CVEs

103 linked to ransomware campaigns

  • CVE-2008-4250WindowsMay 20, 202692.1% EPSS

    Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.

  • CVE-2009-1537DirectXMay 20, 202653.0% EPSS

    Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.

  • CVE-2010-0249Internet ExplorerMay 20, 202688.8% EPSS

    Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

  • CVE-2010-0806Internet ExplorerMay 20, 202687.3% EPSS

    Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

  • CVE-2026-41091DefenderMay 20, 20268.0% EPSS

    Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.

  • CVE-2026-45498DefenderMay 20, 20264.1% EPSS

    Microsoft Defender contains an unspecified vulnerability that allows for denial of service.

  • CVE-2026-42897MicrosoftMay 15, 20267.9% EPSS

    Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

  • CVE-2026-32202WindowsApr 28, 202656.8% EPSS

    Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2026-33825DefenderApr 22, 20267.1% EPSS

    Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

  • CVE-2009-0238OfficeApr 14, 202672.9% EPSS

    Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.

and 367 more - view full CISA catalog →

security.txt

Contact
https://msrc.microsoft.com/report/vulnerability/new
Encryption
https://msrc.microsoft.com/.well-known/csaf/openpgp/998D7EC1A516E3D17FF90480EF148D3CDE714E0D.asc
Policy
https://www.microsoft.com/en-us/msrc/bounty-safe-harbor
Acknowledgments
https://msrc.microsoft.com/update-guide/acknowledgement
Languages
en
Expires
Sep 23, 2026
View raw security.txt →