Do not impact other users with your testing, this includes changing or accessing other users' data. If you are attempting to find an authorization bypass, you must use accounts you own.
Stop immediately if you believe you have affected the availability of our services. Don't worry about demonstrating the full impact of your vulnerability, Copilot's security team will be able to assess the impact.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Submissions must include written instructions for reproducing the vulnerability.
When reporting vulnerabilities you must keep all information confidential. Do not post information to video-sharing or pastebin sites. Videos and images can be sent directly to us.
For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
Do not publicly disclose your submission until Copilot has evaluated the impact.