In reality, the MSRC process and facilities aren't quite so glamorous. However, the resources that Microsoft applies to each vulnerability do put the company's money where its mouth is when it comes to Trustworthy Computing.
According to MSRC security program manager Stephen Toulouse, the first step in the security response process is the point at which Microsoft is made aware of a vulnerability. "We receive vulnerability reports through a variety of channels," said Toulouse. In some cases, the MSRC is notified by security researchers and others through a widely publicized e-mail address --- firstname.lastname@example.org. Some researchers have a direct line to a specific member of the MRSC team. Researchers are not compensated for their efforts, according to Toulouse. In addition to the researchers in the security community, Microsoft also has teams internally that find and report vulnerabilities to the MSRC.