I’m no expert. Is this an issue where MS is refusing to pay bounties to the researcher for finding the bugs, and MS follows up by deleting the researcher’s git hub? Am I missing anything? If I understand the basics, this is how you turn a white hat into a black hat. Good job microslop.
So the researcher has posted on their blog over the past few months some rants about Microsoft “destroying their life” and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.
From their rants (there’s a couple of fresh ones including indication that tomorrow will be “one of the hardest days of their life” and that they’ll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they’ve had some back and forth discussions in private that they’re now making more public
Normally what happens is researchers report vulnerabilities via Microsoft’s purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are
His blog posts share his side of the story, but Microsoft has not made any comments about what happened.
From March 26:
I never wanted to reopen a blog and a new github account to drop code…
But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.
Then on April 15:
Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I’m not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.
And one other thing, they do everything but support the research community, I won’t disclose details but they sabotage people a lot. I mean just look at the past, Microsoft is the only major company who had a track of multiple vulnerabilities being publicly disclosed just because the researchers were soo upset by how MSRC treated them.
Unfortunately, the folks who have the capacity to stop those disclosures, not only don’t care but also seems to push harder for worst exploits to be released, I didn’t want to be evil but they are actively poking me to start releasing RCEs which I will be doing at some point…
I will personally make sure that it gets funnier every single time Microsoft releases a patch.
There was a comment on the first post that I feel like is pretty on point, though a bit arm chair psychologist:
You’re a smart guy. Maybe a savant. Just wondering if you’re BiPolar (like me) and see a different reality than what is real. Been there.
I’m no expert. Is this an issue where MS is refusing to pay bounties to the researcher for finding the bugs, and MS follows up by deleting the researcher’s git hub? Am I missing anything? If I understand the basics, this is how you turn a white hat into a black hat. Good job microslop.
So the researcher has posted on their blog over the past few months some rants about Microsoft “destroying their life” and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.
From their rants (there’s a couple of fresh ones including indication that tomorrow will be “one of the hardest days of their life” and that they’ll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they’ve had some back and forth discussions in private that they’re now making more public
Normally what happens is researchers report vulnerabilities via Microsoft’s purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are
His blog posts share his side of the story, but Microsoft has not made any comments about what happened.
From March 26:
Then on April 15:
There was a comment on the first post that I feel like is pretty on point, though a bit arm chair psychologist:
I don’t think we know enough information to say what the root cause is, but this is definitely not the way to go about anything on the M$ side.