[rustyhancock]

I know this is a crazy take. But I go feel so down trodden by many many tech corps these days I find it hard not to have a smidge of satisfaction for this guy pointing out the colossal favour research developers do for them by responsible disclosure.

That said, I feel bad for the inevitable victims of exploitation and also I am certain he will end up criminalized or as per usual the law will enforce a large corps will against him.

Yes. Definitely a Friday night after a hard week take.

[matheusmoreira]

Nothing crazy about it. Crazy is feeling sorry for the trillion dollar corporation. Don't let anyone tell you otherwise.

The right thing is immediate publication of all exploits, zero liability for the researcher who's just doing a public service and maximum liability for the corporation whose criminal negligence enabled the exploits to begin with.

[vorpalhex]

Microsoft chose to run a shoddy bounty program. The researcher tried to do the right thing.

Microsoft could have prevented this. They were warned. It's their own fault.

The exploit exists whether or not the researcher reports it. They didn't make the exploit.

[thewebguyd]

> They didn't make the exploit

This is important to remember, in this situation and all other 0-day disclosures. There's also no guarantee that the uses of said 0 day after disclosure are the only time its been actively exploited. The exploit was already existing, and there are plenty of three letter agencies and Israeli companies that could very well have already been aware of them.

The only place blame belongs here is on Microsoft, no where else.

[thewebguyd]

> I am certain he will end up criminalized

DMCA has exemptions for "good faith" security research, whatever that means when interpreted by a judge. Outside of copyright law, not sure what Microsoft could pursue legally. The researcher is just disclosing information. CFAA doesn't apply because it's an operating system, running on their own machine there's no unauthorized access there.

They could drag Eclipse through civil lawsuits though.

But yeah, zero sympathy for Microsoft here from me. They deserve it and what's coming for them, whatever that may be. Consider it karma for their past abuses.

[literallyroy]

Unfortunately I think “good faith” goes away quick in the face of “bone shattering”

[j-bos]

Sadly CFAA always applies, just read the letter if the law and multiply by the wide net cast by the microsoft TOS.

[thot_experiment]

Naw totally agree, we need way more robust protections for security researchers and way harsher penalties for corpos doing bullshit, it should be a percentage of revenue.

We have way too much fuck around these days and not nearly enough find out.