[tcmb]

Being awarded a bug bounty suggests that there was a bug that was fixed. But this was actually a misconfiguration, wasn't it? Any Azure account with a dangling subdomain and unrestricted reply-to is still vulnerable to this attack, correct?

[Someone1234]

This critique seems to rely on an undefined definition of the terms "misconfiguration" and "bug."

Reply-to is a bug. But it might be a configuration fix, as opposed to code fix. But without knowing how it is implemented we cannot say.

And maybe more importantly the boundary between misconfiguration bugs and code bugs is irrelevant from an outsider's perspective.

How reply-to is implemented is irreverent, the result is identical.

[tcmb]

The distinction is relevant from the perspective of any other customer on Azure. A code fix would have fixed the problem for them, too, A fixed config fixes the problem for visualstudio.com only. That's what I was getting at.