Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
-
@GossiTheDog ugh and they left themselves some wiggle room: the way it's written, you could claim that the criminals prosecuted are the groups exploiting the vulnerabilities. That is an obvious statement and it's clearly implied that the person doing the zero day release is actively cooperating with threat actors and therefore also criminally liable, but Microsoft can always "well technically" themselves out of this claim.
@sophieschmieg yep. I get it’s a dumpster fire for them and will be causing loads of work as their workflows aren’t good for disclosure like this.. but that’s their dumpster fire to fix, not everybody else’s.
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog What happened to no more free bugs. I would prefer everyone work together to secure infrastructure but in the current environment helping vendors doesn't seem like a winning proposition.
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog however, I think it this is also just poorly worded and "these actors" possibly means the "bad actors" into whose hands the PoCs have been placed by virtue of them being published on the Internet when, most typically, Microsoft has chosen not to engage / not to see things for the problem they are / not to bother patching in any kind of hurry
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog
Multi-Hundred billion dollar company can't handle vuln disclosure properly. Not saying it doesn't take two sides here, but one of them has a ridiculous budget to actually do something about it. -
R relay@relay.infosec.exchange shared this topicR relay@relay.mycrowd.ca shared this topic
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog Weird. Any idea on what motivated the strategy change? The threat makes it seem like it's more than just behind-the-scenes conflict
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog @lisihocke
Well… that was then but this is now.
Welcome to post… idk how to call it, maybe… post-Trump business, politics and law practices. -
@GossiTheDog
Multi-Hundred billion dollar company can't handle vuln disclosure properly. Not saying it doesn't take two sides here, but one of them has a ridiculous budget to actually do something about it.@natesubra
I just skimmed over that #YellowKey thing. But the way I understand it... well: I don't know whether a responsible way to disclose such a blatantly backdoor-looking vulnerability even exists.
@GossiTheDog -
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog If researchers are going to be investigated by Microsoft anyway, may as well just sell it to the baddies for 10x the bounty and not even tell Microsoft.
-
@natesubra
I just skimmed over that #YellowKey thing. But the way I understand it... well: I don't know whether a responsible way to disclose such a blatantly backdoor-looking vulnerability even exists.
@GossiTheDogAlmost like they are attempting to deflect... Maybe we should be a little bit more tin foil hat about this
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog Yeah Microsoft's boondoggle with just stealing people's IP (git-flow) isn't criminal but civil at least here in the UK where it's actionable at CDPA 1988. It becomes criminal if they are found in contempt afterwards... IANAL but I'm keeping abreast, there might be some goodies in the Digital Economy Act 2010 to defend against them but ugh Mandelson helped put that on the books.
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog “doxxed on Twitter” <— really? The few personal things I read were coming from nightmare-eclipse.
-
Wrote a thing on Microsoft’s stance that not following their “responsible disclosure” process is criminal activity https://doublepulsar.com/microsofts-stance-on-zero-day-exploits-is-a-dumpster-fire-of-their-own-making-0946117940a4?postPublishedType=repub
@GossiTheDog excellent. cited https://infosec.exchange/@flyingpenguin/116662732272278173
BTW you have a "?=repub" in your URL.
