Researchers normally submit such findings to the Microsoft Security Response Center (MSRC) for patching to prevent hackers from exploiting them. But Nightmare Eclipse has deliberately ignored the responsible disclosure route, citing claims that Microsoft mistreated them.
“They mopped the floor with me and pulled every childish game they could,” the researcher wrote last month, without elaborating. “It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
PUTS ON MICROSLOP
Every place I’ve ever worked has tried to play cute with security researchers. I’ve never understood it. I’ve always called it out. But I keep fucking running into it!
The fact they mark them as “Moderate” or “Didn’t meet threshold” then immediately patch it without paying is fucking dirty.
They know that most security researchers won’t risk legal action by releasing through other means, so they’ll do whatever saves them a few dollars in paying them.
But what can we do about it? A nonprofit legal fund that barely stands a chance against Microsoft’s legal team? There must be something meaningful.
so they’ll do whatever saves them a few dollars in paying them.
or whatever keeps a public CVE from getting published.
Happy Cake Day!!!
huh. so it is that. i had no idea.
first ‘birthday’ wishes i’ve received in probably 20 years.
ty.
Fuck Microslop
YES
Stop reporting and start selling.
This is the best option when dealing with companies like MS. Some companies actually use reports, issue CVEs, acknowledge shit… MS does not, fuck them. Sell the 0day to a company that will go on to sell it to a state actor, MS will patch it eventually but you won’t be treated like shit to keep it under the rug.
Seriously, that’s is the actual alternative. It’s not theoretical - people are definitely buying (and they pay better).
Has Microsoft forgotten why they do these bug bounties? This is why. Because if they don’t pay, other people will. They’re actively turning the white hats into grey and black hats, selling to intelligence agencies and criminals instead of responsible disclosing.
This is on them.
Unfortunately Micro$lop only hires inexperienced vibecoders.
Everyone’s riding the train and they’re all just hoping that today won’t be the day that their car will ride off the tracks … but they all have a sneaking suspicion that it’s going to happen soon … but hope it won’t.
Microsoft thinks they did the ol’ extend, extinguish, etc. by funding The Linux Foundation, but they actually have been paying for their own execution.
If Microslop would disappear tomorrow it would be a day too late.
Can’t wait to see what they drop on patch Tuesday. Gonna be a fun work week!
#DefundMicroslop
