Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Sat, 30 May 2026 10:55:54 GMT

flyingpenguin@infosec.exchange — Sat, 30 May 2026 10:55:54 GMT

@GossiTheDog excellent. cited https://infosec.exchange/@flyingpenguin/116662732272278173

BTW you have a "?=repub" in your URL.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Fri, 29 May 2026 23:39:00 GMT

9o07@infosec.exchange — Fri, 29 May 2026 23:39:00 GMT

@GossiTheDog “doxxed on Twitter” <— really? The few personal things I read were coming from nightmare-eclipse.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 22:31:58 GMT

bms48@mastodon.social — Thu, 28 May 2026 22:31:58 GMT

@GossiTheDog Yeah Microsoft's boondoggle with just stealing people's IP (git-flow) isn't criminal but civil at least here in the UK where it's actionable at CDPA 1988. It becomes criminal if they are found in contempt afterwards... IANAL but I'm keeping abreast, there might be some goodies in the Digital Economy Act 2010 to defend against them but ugh Mandelson helped put that on the books.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 22:21:10 GMT

natesubra@infosec.exchange — Thu, 28 May 2026 22:21:10 GMT

@musevg @GossiTheDog

Almost like they are attempting to deflect... Maybe we should be a little bit more tin foil hat about this

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 21:45:53 GMT

chrisp@cyberplace.social — Thu, 28 May 2026 21:45:53 GMT

@GossiTheDog If researchers are going to be investigated by Microsoft anyway, may as well just sell it to the baddies for 10x the bounty and not even tell Microsoft.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 21:39:27 GMT

musevg@23.social — Thu, 28 May 2026 21:39:27 GMT

@natesubra
I just skimmed over that #YellowKey thing. But the way I understand it... well: I don't know whether a responsible way to disclose such a blatantly backdoor-looking vulnerability even exists.
@GossiTheDog

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 21:36:16 GMT

musevg@23.social — Thu, 28 May 2026 21:36:16 GMT

@GossiTheDog @lisihocke
Well… that was then but this is now.
Welcome to post… idk how to call it, maybe… post-Trump business, politics and law practices.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 21:30:32 GMT

multisn8@mastodon.catgirl.cloud — Thu, 28 May 2026 21:30:32 GMT

@GossiTheDog Weird. Any idea on what motivated the strategy change? The threat makes it seem like it's more than just behind-the-scenes conflict

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 16:11:56 GMT

natesubra@infosec.exchange — Thu, 28 May 2026 16:11:56 GMT

@GossiTheDog
Multi-Hundred billion dollar company can't handle vuln disclosure properly. Not saying it doesn't take two sides here, but one of them has a ridiculous budget to actually do something about it.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 15:41:21 GMT

interpipes@thx.gg — Thu, 28 May 2026 15:41:21 GMT

@GossiTheDog however, I think it this is also just poorly worded and "these actors" possibly means the "bad actors" into whose hands the PoCs have been placed by virtue of them being published on the Internet when, most typically, Microsoft has chosen not to engage / not to see things for the problem they are / not to bother patching in any kind of hurry

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 15:34:58 GMT

mirth@mastodon.sdf.org — Thu, 28 May 2026 15:34:58 GMT

@GossiTheDog What happened to no more free bugs. I would prefer everyone work together to secure infrastructure but in the current environment helping vendors doesn't seem like a winning proposition.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 15:31:08 GMT

gossithedog@cyberplace.social — Thu, 28 May 2026 15:31:08 GMT

@sophieschmieg yep. I get it’s a dumpster fire for them and will be causing loads of work as their workflows aren’t good for disclosure like this.. but that’s their dumpster fire to fix, not everybody else’s.

Reply to Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub on Thu, 28 May 2026 15:17:04 GMT

sophieschmieg@infosec.exchange — Thu, 28 May 2026 15:17:04 GMT

@GossiTheDog ugh and they left themselves some wiggle room: the way it's written, you could claim that the criminals prosecuted are the groups exploiting the vulnerabilities. That is an obvious statement and it's clearly implied that the person doing the zero day release is actively cooperating with threat actors and therefore also criminally liable, but Microsoft can always "well technically" themselves out of this claim.