alt Hacker NewsMicrosoft chose to run a shoddy bounty program. The researcher tried to do the right thing.
Microsoft could have prevented this. They were warned. It's their own fault.
The exploit exists whether or not the researcher reports it. They didn't make the exploit.
> They didn't make the exploit
This is important to remember, in this situation and all other 0-day disclosures. There's also no guarantee that the uses of said 0 day after disclosure are the only time its been actively exploited. The exploit was already existing, and there are plenty of three letter agencies and Israeli companies that could very well have already been aware of them.
The only place blame belongs here is on Microsoft, no where else.