alt Hacker NewsIt sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
Replies
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
selling to the highest bidder doesn’t generate headlines though.
> and the response was flow chart tech support with a "buy a webcam" cherry on top
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.