I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
-
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world.@Ralph @GossiTheDog
Thank you, i really didn't want to look at the picture of text -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog@cyberplace.social So they complain about irresponsible disclosure but kick them off the MSRC so they can't disclose responsibly?
-
@GossiTheDog I really hope that somebody at Microsoft acknowledges that this screenshot looks like it could be lifted straight from Cyberpunk 2077.
-
@GossiTheDog I really hope that somebody at Microsoft acknowledges that this screenshot looks like it could be lifted straight from Cyberpunk 2077.
@will @GossiTheDog A statement straight out of the Arasaka Tower.
-
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog To add, according to Low Level's video on the subject, Microsoft marked previous zero days the person reported as ineligible for its bug bounty program (saying administrator to kernel/system access is not a security boundary).
-
@notavi10 @GossiTheDog is there anything to support this claim? thanks.
@briankrebs @GossiTheDog from the person who didn't release the zero days: https://deadeclipse666.blogspot.com/2026/05/july-14th.html
-
@notavi10 @GossiTheDog
Is this for real? They submitted for bug bounty and got rejected? -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
The merger of law enforcement and big tech gains pace.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog The Pinkertons have been around for a century.
-
@Ralph @GossiTheDog
Thank you, i really didn't want to look at the picture of textYou're welcome! I'm not sure why creating and then posting an image of the text is considered easier?, more authentic?, or whatever; than just cutting and pasting the same text. I suppose it eliminates the need for quotation marks.
-
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
From the standpoint of the actor and their own future career in bounty hunting, I'm certain that this is irrational -- I have few doubts they'll be blackballed across the board, though it sounds like this may have already occurred.
From a community perspective, a great many malicious actions have recently been taken by the Big Three, raising an unignorable amount of rancor in the bug-hunting community. These actions are irrational in and of themselves, eroding and eliminating trust in the corporations while crippling one of the biggest incentives bounty hunters have to continue their work.
Standing up and making it clear that these bounty programs operate on an understanding of trust -- and that said trust, if broken, will lead to Bad Things like This happening -- is, from a community standpoint, rational, logical and sane. It's possibly the only way to counter a unilateral corporate decision to break the social contract holding things together.
-
The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.
We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity -coordinating as needed with law enforcement around the world.@Ralph @GossiTheDog Big “whistleblowers must go through the chain of command” energy
-
@notavi10 @GossiTheDog
Thank you @notavi10 -
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog@cyberplace.social
Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.
oh fuck these assholes, the number of times they have had legitimate issues reported to them and then ignored the problem while leaving customers at risk is staggering, they're blatantly ignoring the entire reason for the full disclosure movement to exist and pretending they're the heroes who always save the day
absolute pile of horse shit, every single line -
GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.
By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.
@GossiTheDog that sounds like it should be illegal somehow, wow
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog 5 years ago you could have said so, but now? Its on you for still using Github.
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog No more help from the good guys then, M$ ¯\_(ツ)_/¯
-
@briankrebs @GossiTheDog not to defend M$, but isn't the responsible disclosure stuff an etiquette in the whole infosec domain? My friends working in a SOC told me so, and I can understand the point of "please think about the workers"
Still, M$ wanting people to think about the workers leaves a bitter taste int mouth, and nothing justifies sending legal threats against individuals like that@sly_vi @briankrebs @GossiTheDog I'm not privy to the situation that made this guy do what he did, but MS have quite a history of responding to notifications with "works a designed" or other ways of shifting the blame to the user. In some cases, they fixed issues silently after sending the researcher into the weeds.
Mind you, I feel their pain. I would hate to do triage on their product line"s CVD, and that's even without considering all the crap reports everyone gets these days from folks whose expertise consists of reading chapter one from "ethical hacking for dummies" (now with free reporting templates).
-
I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.
It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.
@GossiTheDog It's like the 90's all over again.
-
@GossiTheDog which stage of dystopian hellscape is it when mega-corporations have turned law enforcement into their own private police force?
@smilingdemon @GossiTheDog Apple's counter-intelligence department comes immediately to mind.
