[awd]

"Microsoft Bug Bounty Program's (MSRC) response was poor: Initially, they misjudged and dismissed the issue entirely."

I recently ran into a similar issue with MSRC. I reported two exactly similar(near perfect) heap overflows exploitable from a local perspective with some time in between. The first report was awarded the maximum payout, and patched as 'Important'.

Meanwhile, MSRC changed its rules related local exploitation. Now, to obtain that, one needs to show the exploit working in the most hardened sandbox processes on the system. From my perspective this is quite unfair, both bugs are reported with the same severity to Microsoft's own customers. Both breach about 3 defined security boundaries (process, session and user). So, my communication stayed the same (all technical details), Microsoft's communication with _their_ customers stayed the same (important severity issue, 7.8 cvss), the only thing changed was my reward...(reason: ohh, it's not a sandboxed process, to we don't care.).

The only way to obtain the maximum payout is this even more stringent, and new, requirement of 'sandboxed process' -> 'other user' boundary. As if there are not a hundred thousand organizations sharing machines between users using Citrix and terminal and other similar technologies...

In any case, given that it takes close to a year, with hundreds of hours invested to uncover such a bug... I'm going to take my submissions elsewhere...

[MichaelBurge]

If you're not selling the exploits to Microsoft, where else do you sell them?

[awd]

https://zerodium.com/, the going rate for a full exploit there (and I assume, one that works quickly & leaves little trace, i.e. a high quality exploit, never dealt with them before) is 80k.

Under the old rules that's already 4x as much as MS, but the warm fuzzies made up for that I suppose. Under the new rules, 40x as much, and no warm fuzzies are worth that imo.

[rfd4sgmk8u]

Selling to Zerodium is not equivalent to getting a bounty from MSFT. Selling exploit code hurts people. Microsoft will patch the vuln to protect its customers. Selling exploits to Zerodium is very bad. Be a force for good in this world.

[MichaelBurge]

> Access to Zerodium Zero-Day Research Feed is highly restricted and is only available to a very limited number of eligible government institutions.

Sounds like they sell it to the NSA/CIA/FBI so it's used for "national security" and not ransomware worms.

[lobocinza]

Basically saving then the trouble.

[lobocinza]

Windows is not a force for good.

> Selling exploit code hurts people.

As providing backdoors for state agents like Microsoft and other companies do.

I'm ignorant on the matter but is Zerodium a black market? As far as I know they might be selling any exploits to the affected companies.

[rfd4sgmk8u]

The logic of business would imply that a vendor of exploit code is going to make significantly more money reselling the exploit than the author of the exploit code. 100k for an exploit to the author? The exploit vendor will sell it for millions. Who has deep pockets enough that they are willing to buy exploit code for millions? A software vendor can engineers for many years for this cost.

Yeah, I don't like windows either, but its not the point. Billions rely on the security of Windows today, our entire global economy is dependent on reliability of our information systems.

One either helps maintain the security of our systems globally, or they seek to disrupt it for a pay day. I get quite upset when people enter with the mindset of 'the actual vendor wont pay me enough, ill sell it to shady exploit market'. It is not a simple pay day.

[maccolgan]

It's Microsoft, the Steve Ballmer (also Teams) Company, they hurt people more than Zerodium can even think of.

[anamax]

If Microsoft doesn't care, why should he?

[bathtub365]

This way of thinking really reflects poorly on security professionals. They should care out of a sense of professional ethics or personal morals. Selling a bug to be fixed by a vendor or to be weaponized by one of Zerodium’s customers are not equivalent morally or ethically. They also aren’t the only two options: he could just sit on the bug. Someone else will likely discover it but he at least wouldn’t be complicit in the erosion of the security of the software ecosystem.

[anamax]

The security of Microsoft products is Microsoft's responsibility.

Microsoft seems uninterested in fulfilling that responsibility, therefore the responsible thing to do is to "motivate" Microsoft.