So the researcher has posted on their blog over the past few months some rants about Microsoft “destroying their life” and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.
From their rants (there’s a couple of fresh ones including indication that tomorrow will be “one of the hardest days of their life” and that they’ll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they’ve had some back and forth discussions in private that they’re now making more public
Normally what happens is researchers report vulnerabilities via Microsoft’s purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are
So the researcher has posted on their blog over the past few months some rants about Microsoft “destroying their life” and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.
From their rants (there’s a couple of fresh ones including indication that tomorrow will be “one of the hardest days of their life” and that they’ll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they’ve had some back and forth discussions in private that they’re now making more public
Normally what happens is researchers report vulnerabilities via Microsoft’s purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are