bohops

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

OAIC's CFP is now open! The first conference dedicated to the cutting edge of the offensive use of AI is returning for its second year. Speakers will enjoy three nights at a four-star beachfront resort, which includes all meals and drinks, three exclusive parties, and a Michelin-star welcome dinner. Please see https://t.co/Q6XUblStJb for accepted topics.

Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously. To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate. We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them. Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow. The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.

Absolutely. It's a process, and a bad report is just not good for anyone involved. The penalty for a bad quality report should be a lower to 0 bounty payout opportunity - at least that was how it was documented in the bounty terms in the past. Another PR opportunity - "Day in the life of a case manager"

Absolutely - Nate was the exception. And I'm not trying to make this about me, but I can only draw from my own journey along the way. I've submitted maybe 20+ bug reports over the years. Results were a rollercoaster of experiences and outcomes - good/bad/indifferent. Some of it truly what it was (e.g. not serviceable), some of it unfortunate circumstance, some of it bad policy, some of it subpar case management, and some of it my fault (e.g. bad reports early on). Regardless, MSRC has a prime chance for a key PR move here - process critical feedback through the noise, clarify submission expectations for the sanity of their staff, and still denounce 0day drops without alienating the community at large.