alt Hacker NewsMicrosoft's policy is: "if you contact us with a vulnerability, you automatically agree to the terms of our responsible disclosure policy", which includes waiting 30 days after patch was created, and says nothing about how long that process takes.
There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all...
Replies
leni536 • yesterday at 8:23 PM
I wonder if "if you contact us... you automatically agree" stands in court. That's just ridiculous.
➕ show 1 reply
prmoustache • yesterday at 10:29 PM
Since no contract is signed, this is just pure fantasy from your part.
> terms of our responsible disclosure policy
I couldn't find a public copy of that.
The best starting point I found for reporting vulnerabilities was: https://github.com/microsoft/MSRC-Security-Research/security...
You can email without agreeing to anything. But for a serious issue Microsoft would obviously try and track down who you are and what jurisdiction you are in.