Microsoft takes the security of our software products and services seriously. This includes all source code repositories managed through our GitHub organizations.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them to the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/create-report.

If you prefer to submit without logging in, send email to secure@microsoft.com. If possible, encrypt your message with our PGP key — download it from the Microsoft Security Response Center PGP Key page.

You should receive a response within 24 hours. If you do not, please follow up via email to ensure we received your original message.

This learning lab demonstrates secure patterns for hosted agents:

• No secrets in containers — Use managed identities, not API keys in environment variables
• Credential strategy — Local dev uses AzureCliCredential (from az login); containers use DefaultAzureCredential (managed identity)
• Azure Key Vault — For production secrets beyond auth, use Azure Key Vault

See the Security section in the main README for details.

• Microsoft Security Response Center
• Microsoft Bug Bounty Program
• Coordinated Vulnerability Disclosure