T[r]oll_in

‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories. The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft. Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word." Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case. Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.

so, fun fact about digital scales: most have fairly wide margins of error, like +/- 1-2%, which is 2-4 lbs on a 200 lbs person, BUT they mask this by storing your weight in memory for a certain period of time - usually about 15 minutes - if you step off and step right back on, the scale will recognize this and serve you the old weight to mask the measurement error. so it is likely this person spent just long enough in the shower for the memory to dump, and she got an honest re-read within the scale’s MoE.

My last submission to MSRC was for a Device Guard bypass.  I learned my lesson from prior drawn-out submissions, so I included a 90 day window this time.  MSRC responded saying that it met their bar and they would fix it, but asked me to withhold disclosure well past 90 days because they needed a few extra months to fix it.  I agreed on the condition that they issue a CVE, to which they agreed.  After the agreed-upon Patch Tuesday a few months later, I couldn’t find any mention in the CVE list, so I reached out to MSRC to inquire. It turns out - they changed their minds, deciding it did not meet their bar for servicing, yet they patched it anyway.  Since it didn’t meet the bar, they didn’t issue a CVE. MSRC strung me along for a few extra months to keep me quiet, then broke their word. They could have at least bought me dinner first. The interaction left such a bad taste in my mouth that I don’t really feel like interacting with them again. That’s why I didn’t publish any exploits/tools last year. #MeTooMSRC