alt Hacker NewsFwiw, the way it works is that Microsoft doesn't really have a bug bounty program. Individual Microsoft teams have bug bounty programs (or not). Platform teams like Entra, Windows, and Azure have robust programs. However, when teams that operate on top of platforms misconfigure those platforms (as happened here), those bugs are owned by the teams that operate on top of the platform, not by the platform.
That's some exceptionally shallow thinking on their part. I think may people would agree that part of the vulnerability is the authentication configuration options do not map well onto real world use cases, the documentation surrounding this is absent or confusing, and even internal teams that should know better are creating insecure services an alarming percentage of the time.
This is what I like about actual safety culture, like you would find in aviation, _all causes_ are to be investigated, all the way back to the shape, size and position of the switches on the flight deck.
It's difficult to take Microsoft's stance seriously. It makes the prices for their "service" seem completely unjustifiable.