Microsoft Security Response Center (MSRC)

Microsoft's security update documents, as CVRF JSON

🔐 SecurityUNMONITORED
AUTH NONECORS AGENT ?HTTPS COMMERCIAL ?

The Microsoft Security Response Center API publishes machine-readable security update summaries in the CVRF format. The updates endpoint lists every monthly release with titles, dates, and links to the full vulnerability documents. No key needed — but it quietly returns an empty body unless your client sends a browser-like User-Agent.

HOW IT'S SCORED ⓘ
Status badge · for your READMEshipapis health badge: — · unmonitored
ON PROBE SCHEDULE

We probe a documented GET and expect 2xx JSON — full uptime and health score. Open provider docs ↗

Uptime historystarts after first probe

On our probe schedule. Uptime charts appear after the first check lands.

Example responsefrom provider docs — not verified by us
GET https://api.msrc.microsoft.com/cvrf/v3.0/updates

{
  "@odata.context": "https://api.msrc.microsoft.com/$metadata#Updates",
  "value": [
    {
      "ID": "1999-Sep",
      "Alias": "1999-Sep",
      "DocumentTitle": "Mariner Release Notes",
      "Severity": null,
      "InitialReleaseDate": "1999-09-02T00:00:00Z",
      "CurrentReleaseDate": "2025-10-01T23:10:48Z",
      "CvrfUrl": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/1999-Sep"
    }
  ]
}
Call itcurl · fetch · python
curl "https://api.msrc.microsoft.com/cvrf/v3.0/updates"
const res = await fetch("https://api.msrc.microsoft.com/cvrf/v3.0/updates");
const data = await res.json();
console.log(data);
import requests

res = requests.get("https://api.msrc.microsoft.com/cvrf/v3.0/updates")
print(res.json())

BROWSER CALLS BLOCKED (NO CORS/HTTPS) — USE THE CURL SNIPPET

Endpoints · 5On scheduleFULL DOCS ↗
On schedule — GET /cvrf/v3.0/updates awaits first probe
GET/cvrf/v3.0/updatesPROBED

Microsoft's security update documents, as CVRF JSON

GET/cvrf

Cvrf — documented GET route.

GET/cvrf/1

Cvrf details by ID (example: 1).

GET/cvrf?limit=10

Cvrf — documented GET route.

GET/cvrf/search?q=test

Search by query parameters.

Machine-readable spec

We probe a documented GET and expect 2xx JSON — full uptime and health score. Export includes every documented route below.

Response-shape history

Not tracked yet. Shape-change history starts once this API joins our probe schedule.

Microsoft Security Response Center (MSRC): common questions

Is Microsoft Security Response Center (MSRC) free to use?

Yes — Microsoft Security Response Center (MSRC) is a free security API. Free tier: Free — no key required. Whether the free tier allows commercial use is unclear — check the provider docs.

Does Microsoft Security Response Center (MSRC) need an API key?

No — Microsoft Security Response Center (MSRC) needs no API key or signup. You can call it straight away; rate limits still apply (Unpublished).

Can I call Microsoft Security Response Center (MSRC) from the browser?

Not directly — Microsoft Security Response Center (MSRC) doesn't send browser-friendly CORS headers, so call it from a server or proxy instead. Copy the curl or Python snippet on this page to get started.

Is Microsoft Security Response Center (MSRC) up right now?

Microsoft Security Response Center (MSRC) is catalogued but not yet on our probe schedule, so we don't publish a live status for it. Check the provider's own status page or docs for its current state.