Ego, curiosity, potential bug bounty & this was a low hanging fruit: I was just watching API request in Devtools while using ChatGPT. It took 10 minutes to spot it, and a week of trying to reach a human being. Iterating on the proof-of-concept code to increase potency is also a nice hobby.

These kinds of vulnerabilities give you good idea if there could be more to find, and if their bug bounty program actually is worth interacting with.

With this code smell I'm confident there's much more to find, and for a Microsoft company they're apparently not leveraging any of their security experts to monitor their traffic.

While others (and OP) give good reasons, beyond passion and interest, those I see are typically doing this without a bounty to a build public profile to establish reputation that helps with employment or building their devopssec consulting practices.

Unlike clear cut security issues like RCEs, (D)DoS and social engineering few other classes of issues are hard to process for devopssec, it is a matter of product design, beyond the control of engineering.

Say for example if you offer but do not require 2FA usage to users, having access to known passwords for some usernames from other leaks then with a rainbow table you can exploit poorly locked down accounts.

Similarly many dev tools and data stores for ease of adoption of their cloud offerings may be open by default, i.e. no authentication, publicly available or are easy to misconfigure poorly that even a simple scan on shodan would show. On a philosophical level these security issues in product design perhaps, but no company would accept those as security vulnerabilities, thankfully this type of issues is reducing these days.

When your inbox starts filling up with reporting items like this to improve their cred, you stop engaging because the product teams will not accept it and you cannot do anything about it, sooner or later devopsec teams tend to outsource initial filtering to bug bounty programs and they obviously do not a great job of responding especially when it is one of the grayer categories.

I always wonder why people not working or planning to work in infosec do this. I get giving up your free time to build open source functionality used by rich for-profit companies that will just make them rich because that's the nature of open source. But literally giving your free time to help a rich company get richer that I do not get. My only explanation is that they enjoy the process. It's like people spending their free time giving information and resources when they would not do that if that person was in front of them.

Maybe it's wrecking a site they maintain or care about.

Some people have passion.

At least one time it's worth going through all the motions to prove whether it is or is not actually functional, so that they can not say "no one reported a problem..." about all the problems.

You can't say they don't have a funtional process, and they are lying or disingenuous when they claim to, if you never actually tried for real for yourself at least once.

Because its microsoft. They know that MS will not respond, likely because MS already knows all about the problem. The fun is in pointing out how MS is so ossified and internally convoluted that it cannot apply fixes in any reasonable time. It is the last scene and the people are laughing at emperor walking around without clothes.