seafay(tkhsk)

例えば、AI作品の展示会で、「これ面白いｗｗｗ」って言ったり、面白がりはするけど、それを会社のプロトタイプとして持ち込まれたら、 「それってモデルのライセンス商用利用可能なんですか？」 「動かすのにメモリ○○MBのインスタンス必要で月額の固定費が○○円なんですが、1回当たりいくらで提供予定ですか？損益分岐点を何人と勘定してますか？何か月でいくらをサービス撤退基準としますか？」 「1回のAPI使用料に○○円かかりますけど、ご認識されてますか？」 「レスポンスに0.2秒かかると50%の客がページから離脱するっていうデータ有りますけど、どうしますか？この場合だと、離脱率を想定すると○○MAU超えないと、損益分岐超えないですけど、どうしますか？」 という話をしはじめる。 でも、"ビジネスとして"やりたい側に、そこまでの視座と度胸と解像度が無かった場合、エンジニアは"新しいビジネスの種を持ってきたのに、それをつぶす、重箱の隅をつつく、性格の悪いやつ"になる。 で、言われることは 「それを考えるのはエンジニアの仕事だろ。」 って言われる。ってなる。 別に全部無視して作ってもいいんだけど、あとで、 「セキュリティやライセンスはエンジニアが想定してやってくれていることを期待して指示してました」 ってはしごを外されるので、はしごを外させないようにすると、"責任の所在や理解の齟齬をなくそうとするとエンジニアに責任転嫁できなくなる"のでキレられる。

Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously. To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate. We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them. Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow. The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.

We know what probably happened. From what we see publicly, NightmareEclipse doesn't communicate well, is emotionally immature, and appears to want to extort Microsoft. Almost certainly, this played a part in the conflict between them and Microsoft -- it's probably as much NightmareEclipse's fault as Microsoft's. With that said, everything Florian says is correct. It doesn't excuse Microsoft's failures. They are supposed to be the responsible one, When there is miscommunication or dispute, it's always allowable to drop 0day, regardless whose fault it is. It's Microsoft's job to avoid that, even when they really aren't at fault for the miscommunication. But Microsoft has convinced themselves of the opposite, that "responsible" disclosure means only the responsibilities of the vuln finder. Vuln finders have no responsibility. Dropping 0day is responsible. Responsible companies don't have so many bugs. We let industry subvert the disclosure process. Instead of working to secure their code, vendors have tricked people into believing in the myth of "responsible disclosure", that vendors should be given time to fix and patch their bugs so they are never to blame for the bugs to begin with. That's why you have customers still buying Fortinet appliances even though their bugs continue to be major sources of customers getting hacked. Customers shrug their shoulders: as long as Fortinet has a vulnerability disclosure program and releases patches, they aren't responsible for when hackers keep breaking into their boxes. This is garbage. Vendors are still responsible for preventing bugs in the first place, a responsibility that doesn't go away just because they patch. Regardless of what happened, Microsoft's threats are a gross violation of ethics in the industry.