[_yttw]

If they want to take advantage of disclosure for marketing, they're either going to need to accept the norms around responsible disclosure, or they're going to need to accept how shirking those norms will come off. That's life in society. Sometimes it's annoying and sometimes it doesn't feel rational, but these norms have been negotiated throughout the history of our industry and are the way they are for reasons good and bad.

I just don't see the point in complaining about how shirking the norms of your industry will make you look irresponsible. I don't really care that they could have decided to sell the vulnerability instead. It isn't material.

[tptacek]

It is absolutely not true that viable commercial vulnerability labs need to "accept the norms around responsible disclosure". There are no such norms. "Responsible disclosure" is an Orwellian term cooked up between @Stake and Microsoft and other large vendors to coerce researchers into synchronizing with vendor release schedules. It was fantastically successful at that, and it's worth pushing back on at every opportunity.

Tavis Ormandy dropped Zenbleed right onto Twitter. He's doing fine. You can blacklist him if you want; I imagine he's not going to notice.

[SCHiM]

Microsoft's policy is: "if you contact us with a vulnerability, you automatically agree to the terms of our responsible disclosure policy", which includes waiting 30 days after patch was created, and says nothing about how long that process takes.

There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all...

[leni536]

I wonder if "if you contact us... you automatically agree" stands in court. That's just ridiculous.

[tptacek]

Reader, it does not.

[prmoustache]

Since no contract is signed, this is just pure fantasy from your part.

[robocat]

> terms of our responsible disclosure policy

I couldn't find a public copy of that.

The best starting point I found for reporting vulnerabilities was: https://github.com/microsoft/MSRC-Security-Research/security...

You can email without agreeing to anything. But for a serious issue Microsoft would obviously try and track down who you are and what jurisdiction you are in.

[SCHiM]

https://www.microsoft.com/en-us/msrc/bounty-guidelines

> MICROSOFT BOUNTY TERMS & CONDITIONS

> Last updated: July 23, 2025

> The Microsoft Bug Bounty Programs Terms and Conditions ("Terms") cover your participation in the Microsoft Bug Bounty Program (the "Program"). These Terms are between you and Microsoft Corporation ("Microsoft," "us" or "we"). By submitting any vulnerabilities to Microsoft or otherwise participating in the Program in any manner, you accept these Terms.

Who knows if its enforceable.

[robocat]

Sure - that's a bug bounty - which is opt-in.

You said "There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all..."

So what you said is wrong, right.

[SCHiM]

Maybe you're right. I just find it confusing. The language is all-encompassing, doesn't read opt-in to me if taken literally: "By submitting any vulnerabilities to Microsoft". And I found no other pages describing "report in such and such way to have these terms apply instead". But I always have problems with this stuff, perhaps taking it too seriously.

Obviously they can write whatever they want in their policy documents. The thing is, sometimes this is about larger sums of money, or someones reputation, which may or may not actually lead to steps. That is in contrast with whatever TOS/EULA in account signups for some service or whatever, this feels more serious. I've seen some people getting harried after publishing something that fell _outside_ the servicing boundaries. Getting tangled up in whatever is already a loss in my book, even if you "win" in the end.

Note that that policy is also where they set out the safe-harbor conditions, which, according to my read, is tied to the bounty policy and not RD/CVD policy. The RD/CVD page itself specifies no such thing, so I relate them.

[leni536]

This seems to be sloppy wording, with the intent of "we only offer the bounty under these terms". Maybe my interpretation is too charitable.

[marshray]

I do not speak for MSFT, but last time I spoke with MSRC indeed they would be happy to receive your vulnerability report even if you did not wish to participate in any particular bug bounty program.

[_yttw]

You're right, they don't need to. They have an alternative, to accept what people say or think about them in response. That's what I said.

[expedition32]

So how do we feel about Linux distributors who have their heads up their asses and sat on their hands for 30 days?

[selectively]

Those norms do not exist. Those are people asking companies to do stuff to benefit the person complaining for free, and many companies will not do that.

[_yttw]

It seems to me you're unaware of them, but there are strong norms around disclosure. They've been discussed for decades. It is the expectation that vendors would be notified in a scenario like this.

[selectively]

No, there are users who want those to be norms. Qualified researchers happily sell substantive vulns to people who pay (Governments/Cellebrite and companies like that) enough to quell any complaint.

[_yttw]

Which is again, irrelevant to the question of how disclosure works and what expectations there are around it because that is not disclosure and is not what was being discussed.