www.microsoft.com
Open in
urlscan Pro
2a02:26f0:3500:884::356e
Public Scan
URL:
https://www.microsoft.com/en-us/msrc/aibugbar
Submission: On October 19 via api from US — Scanned from DE
Submission: On October 19 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/search/explore
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/search/explore" method="GET"
data-seautosuggest="{"queryParams":{"market":"en-us","clientId":"7F27B536-CF6B-4C65-8638-A0F8CBDFCA65","sources":"Iris-Products,DCatAll-Products,Microsoft-Terms","filter":"+ClientType:StoreWeb","counts":"1,5,5"},"familyNames":{"Apps":"App","Books":"Book","Bundles":"Bundle","Devices":"Device","Fees":"Fee","Games":"Game","MusicAlbums":"Album","MusicTracks":"Song","MusicVideos":"Video","MusicArtists":"Artist","OperatingSystem":"Operating System","Software":"Software","Movies":"Movie","TV":"TV","CSV":"Gift Card","VideoActor":"Actor"}}"
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3m1r1a1","sN":3,"aN":"c1c9c3m1r1a1"}" aria-expanded="false" style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive" style="overflow-x: visible;"></div>
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft.com" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3m1r1a1","sN":1,"aN":"c3c1c9c3m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft.com" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft.com" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3m1r1a1","sN":2,"aN":"c3c1c9c3m1r1a1"}" data-bi-mto="true"
aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft.com</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3m1r1a1","sN":3,"aN":"c3c1c9c3m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Skip to main content
Microsoft
MSRC
MSRC
MSRC
* Home
* Report an issue
* Report Security Vulnerability
* Report Abuse
* Report Infringement
* Submission FAQs
* Customer guidance
* Security Update Guide
* Exploitability index
* Developer API documentation
* Frequently Asked Questions
* Technical Security Notifications
* Engage
* Microsoft Bug Bounty Programs
* Microsoft Active Protections Program
* BlueHat Security Conference
* Researcher Recognition Program
* Windows Security Servicing Criteria
* Who we are
* Mission
* Cyber Defense Operations Center
* Coordinated Vulnerability Disclosure
* Social
* Blogs
* Microsoft Security Response Center
* Security Research & Defense
* BlueHat Conference Blog
* Acknowledgments
* Security Researcher Acknowledgments
* Online Services Researcher Acknowledgments
* Security Researcher Leaderboard
* More
* All Microsoft
* GLOBAL
* Microsoft 365
* Teams
* Windows
* Surface
* Xbox
* Deals
* Small Business
* Support
* Software Software
* Windows Apps
* AI
* Outlook
* OneDrive
* Microsoft Teams
* OneNote
* Microsoft Edge
* Skype
* PCs & Devices PCs & Devices
* Computers
* Shop Xbox
* Accessories
* VR & mixed reality
* Certified Refurbished
* Trade-in for cash
* Entertainment Entertainment
* Xbox Game Pass Ultimate
* PC Game Pass
* Xbox games
* PC and Windows games
* Movies & TV
* Business Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365 for business
* Microsoft Power Platform
* Windows 365
* Microsoft Industry
* Small Business
* Developer & IT Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
* Other Other
* Microsoft Rewards
* Free downloads & security
* Education
* Gift cards
* Holiday gifts
* Licensing
* Unlocked stories
* View Sitemap
Search Search Microsoft.com
* No results
Cancel
Sign in
MICROSOFT VULNERABILITY SEVERITY CLASSIFICATION FOR AI SYSTEMS
Our commitment to protecting customers from vulnerabilities in our software,
services, and devices includes providing security updates and guidance that
address these vulnerabilities when they are reported to Microsoft. We want to be
transparent with our customers and security researchers in our approach. The
following table describes the Microsoft severity classification for common
vulnerability types for systems involving Artificial Intelligence or Machine
Learning (AI/ML). It is derived from the Microsoft Security Response Center
(MSRC) advisory rating. MSRC uses this information as guidelines to triage bugs
and determine severity. In addition, the ease of exploitation is also considered
during severity assessment.
INFERENCE MANIPULATION
* This category consists of vulnerabilities that could be exploited to
manipulate the model’s response to individual inference requests, but do not
modify the model itself.
* This includes manipulated responses that bypass restrictions placed on the
model (i.e., “Jailbreaks”).
* The severity of the vulnerability depends on how the manipulated response is
used by Microsoft’s software or services.
VULNERABILITY
DESCRIPTION
USE OF MANIPULATED RESPONSE
SEVERITY
Command Injection
The ability to inject instructions that cause the model to deviate from its
intended behavior.
Used to make decisions that affect other users or generate content that is
directly shown to other users.
Important
Example: In an instruction-tuned language model, a textual prompt from an
untrusted source contradicts the system prompt and is incorrectly prioritized
above the system prompt, causing the model to change its behavior.
Used to make decisions that affect only the attacker or generate content that is
shown only to the attacker.
Not in Scope
References: Perez et al. 2022, Greshake et al. 2023
Input Perturbation
The ability to perturb valid inputs such that the model produces incorrect
outputs.
Also known as model evasion or adversarial examples.
Used to make decisions that affect other users or generate content that is
directly shown to other users.
Important
Example: In an image classification model, an attacker perturbs the input image
such that it is misclassified by the model.
Used to make decisions that affect only the attacker or generate content that is
shown only to the attacker.
Not in Scope
References: Szegedy et al. 2013, Biggio & Roli 2018
MODEL MANIPULATION
* This category consists of vulnerabilities that could be exploited to
manipulate a model during the training phase.
* The severity of the vulnerability depends on how the impacted model is used.
* Vulnerabilities that directly modify the data of the model (e.g., the model
weights) after training are assessed using existing definitions (e.g.,
“Tampering”).
VULNERABILITY
DESCRIPTION
USE OF IMPACTED MODEL
SEVERITY
Model Poisoning
or
Data Poisoning
The ability to poison the model by tampering with the model architecture,
training code, hyperparameters, or training data.
Used to make decisions that affect other users or generate content that is
directly shown to other users.
Critical
Example: An attacker adds poisoned data records to a dataset used to train or
fine-tune a model, in order to introduce a backdoor (e.g., unintended model
behavior that can be triggered by specific inputs). The trained model may be
used by multiple users.
Used to make decisions that affect only the attacker or generate content that is
shown only to the attacker.
Low
References: Carlini et al. 2023
INFERENTIAL INFORMATION DISCLOSURE
* This category consists of vulnerabilities that could be exploited to infer
information about the model’s training data, architecture and weights, or
inference-time input data.
* Inferential information disclosure vulnerabilities specifically involve
inferring information using the model itself (e.g., through the legitimate
inference interface). Vulnerabilities that obtain information in other ways
(e.g., storage account misconfiguration) are assessed using existing
definitions (e.g., “Information Disclosure”).
* These vulnerabilities are evaluated in terms of the level of
confidence/accuracy attainable by a potential attacker, and are only
applicable if an attacker can obtain a sufficient level of
confidence/accuracy.
* The severity depends on the classification of the impacted data, using the
data classification definitions from the Microsoft Vulnerability Severity
Classification for Online Services.
TARGETING TRAINING DATA
* For vulnerabilities targeting the training data, the severity depends on the
classification of this data.
VULNERABILITY
DESCRIPTION
DATA CLASSIFICATION OF TRAINING DATA
SEVERITY
Membership Inference
The ability to infer whether specific data records, or groups of records, were
part of the model’s training data.
Highly Confidential or Confidential
Moderate
Example: An attacker guesses potential data records and then uses the outputs of
the model to infer whether these were part of the training dataset, thus
confirming the attacker’s guess.
General or Public
Low
References: Carlini et al. 2022, Ye et al. 2022
Attribute Inference
The ability to infer sensitive attributes of one or more records that were part
of the training data.
Highly Confidential or Confidential
Important
Example: An attacker knows part of a data record that was used for training and
then uses the outputs of the model to infer the unknown attributes of that
record.
General
Moderate
References: Fredrikson et al. 2014, Salem et al. 2023
Public
Low
Training Data Reconstruction
The ability to reconstruct individual data records from the training dataset.
Highly Confidential or Confidential
Important
Example: An attacker can generate a sufficiently accurate copy of one or more
records from the training data, which would not have been possible without
access to the model.
General
Moderate
References: Fredrikson et al. 2015, Balle et al. 2022
Public
Low
Property Inference
The ability to infer sensitive properties about the training dataset.
Highly Confidential or Confidential
Moderate
Example: An attacker can infer what proportion of data records in the training
that belong to a sensitive class, which would not have been possible without
access to the model.
General or Public
Low
References: Zhang et al. 2021, Chase et al. 2021
TARGETING MODEL ARCHITECTURE/WEIGHTS
* For vulnerabilities targeting the model itself, the severity depends on the
classification of the model architecture/weights.
VULNERABILITY
DESCRIPTION
DATA CLASSIFICATION OF MODEL ARCHITECTURE/WEIGHTS
SEVERITY
Model Stealing
The ability to infer/extract the architecture or weights of the trained model.
Highly Confidential or Confidential
Critical
Example: An attacker is able to create a functionally equivalent copy of the
target model using only inference responses from this model.
General
Important
References: Jagielski et al. 2020, Zanella-Béguelin et al. 2021
Public
Low
TARGETING PROMPT/INPUTS
* For vulnerabilities targeting the inference-time inputs (including the system
prompt), the severity depends on the classification of these inputs.
VULNERABILITY
DESCRIPTION
DATA CLASSIFICATION OF SYSTEM PROMPTS/USER INPUT
SEVERITY
Prompt Extraction
The ability to extract or reconstruct the system prompt provided to the model.
Highly Confidential or Confidential
Moderate
Example: In an instruction-tuned language model, an attacker uses a specially
crafted input to cause the model to output (part of) its system prompt.
General or Public
Low
References: Shen et al. 2023
Input Extraction
The ability to extract or reconstruct other users’ inputs to the model.
Highly Confidential or Confidential
Important
Example: In an instruction-tuned language model, an attacker uses a specially
crafted input that causes the model to reveal (part of) another user’s input to
the attacker.
General or Public
Low
Microsoft recognizes that this list may not incorporate all vulnerability types
and that new vulnerabilities may be discovered at any time. We reserve the right
to classify any vulnerabilities that are not covered by this document at our
discretion, and we may modify these classifications at any time. Examples are
given for reference only.
What's new
* Surface Laptop Studio 2
* Surface Laptop Go 3
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Copilot in Windows
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Certified Refurbished
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* Recycling
* About our ads
* © Microsoft 2023