Pretty easy; you just email secure@microsoft.com (there are PGP or S/MIME keys available too) and you generally receive a response in a maximum of 48 hours. In most cases you get a reply within a few hours stating that you've passed their spamfilters, that they've done an initial overview of your report and that they will start looking into it.
If you google for "microsoft report security vulnerability" the first page you get is this: http://technet.microsoft.com/en-us/security/ff852094.aspx. Doesn't get much clearer than that in my opinion.