Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.

Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.

Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.

Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.

> “It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,”

Well said.

That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.

Yes. Definitely a Friday night after a hard week take.

In my experience, corps sometimes behave this way not because it's the 'corporate intent' but simply due to internal politics and ass-covering by individual middle managers. MSFT's response is puzzling because it doesn't clear up anything nor does it try to de-escalate. It's also not the sort of completely neutral statement made when you need to respond but have nothing to say yet. This statement implies the researcher is a bad actor while also being vaguely threatening. I can't imagine any way this benefits MSFT.

It appears more like a junior exec trying to manage the optics so it looks like their department isn't in the wrong. This ass-covering accomplishes nothing for MSFT. Even if the researcher was demanding payment for a vuln and wasn't producing sufficient justification for their demand or wasn't following the process, this isn't a productive response. It sounds more like a manager is worried what their boss thinks. The manager acting this way is bad but the root cause is often the manager's upline creating a context where managers feel they need to ass-cover and stage manage optics.

The denial of Microsoft is just as harmful as the exploits of these flaws.

All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).

Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.

I am not saying humans or AI can create "perfect" software, but NASA has shown there is a HUGE gap between what can be achieved and what commercial software has generally done. We have given software a pass on the liability for the damage it can caused when it is defective for too long, that's the only way to change this, it must hit the bottom line.

It sounded like it really could have been a backdoor, that was complicated enough to not be an easy replacement to roll out without being detected, so Microslop tried to shut down the discovery as soon as possible, annoyed the wrong researcher and now they're at risk of really having to remove their back door to an administration that is not exactly understanding.

so far as i can tell yellowkey is problematic, as the exploit takes advantage of a backdoor that ms needs, to "manage" your computer.

only recently has a OOB mitigation been offered

https://www.techspot.com/news/112410-security-researcher-mic...

Over the course of my career I've had to deal with multiple hacks, DDOSes, and even situations working with the FBI. It's a mess, and extremely frustrating and unfair to those of us who are just trying to do a good job and make a living. Those of you who are throwing stones at Microsoft's coding, how confident are you that your code is safe from this new AI age?

Obviously MS handled this poorly, even after reading this article it's not clear how MS handles bug bounties. But that doesn’t mean this “researcher” deserves a pass.

Releasing 0-days, especially working exploit code for unpatched vulnerabilities, is extremely unethical. It has real potential to cause a lot of harm to regular engineers, and users who had nothing to do with the dispute.

did they start to do that at some point, or is this a pressure (blackmail?) campaign to get the to do that? I have no love for, but rather hate for, Microsoft, so I'm not suggesting blackmail in the sense of defending them, but it's something they could claim.

this is on Microsoft's website, they don't promise much for CVD

https://www.microsoft.com/en-us/msrc/cvd

Maybe Microsoft should spend less energy threatening researchers and more on not shipping the slop code in the first place.

Precisely. /Your/ customers. I have no obligation to them and you profit handsomely from them. I'm not sure you can use "opposition" as a strategy to ameliorate your own negligence followed by inaction.

They spent billions trying to build this open source and developer friendly image to just burn it all over $200,000 of unpaid security bounties.

Microsoft is a dumpster fire.

Not much has changed at Microsoft

Still trying to blame others for its own incompetence

GitHub bans security researcher who posted zero-day Windows exploits

https://news.ycombinator.com/item?id=48315968

I hope the promise of a July 14th threat goes as planned. They need to hurt. And everyone needs to see the risks they are taking by using their products.

It’s widely known how much Microsoft cooperates with three letter agencies. I think they are in a bind on how to act in these situations. They don’t want to acknowledge or fix the 0-day vulnerabilities because they don’t know if those are in use via state sponsored operations. Either they deal with customer fallout or they deal with the grief from their agency liaisons that they interrupted a multi-year operation by fixing the 0-day.

Vulnerability researchers really should avoid reporting to Microsoft and just sell them instead.

Usually, when an individual is that upset, the group or corporation is wrong and tries to shape public perception by lying.

Since when is publishing zero days a crime anyway? Shame on Microslop for these intimidation tactics. The real crime is vibe coding operating systems.

Microsoft is making all indications that it is behaving like a colossal dick. It’s not a good look. As always: if you find yourself in a deep hole, stop digging.

Part of me thinks they are welcoming this drama because if the other 0-days are genuine bugs then it muddies the water and shifts the focus away from a the fact that they shipped an intentionally backdoored security product.