← Back to context

Comment by therein

2 months ago

Did he really get no bounties out of this? The guy found a way into build boxes retail Windows is built on, potentially found the private key that would be used to generate license keys, likely could have dived in a little bit more after getting RCE on the build box to exfil the latest Windows 11 source code. He even found a way to issue rewards. They still gave him nothing?

12 comments

therein

Reply
excalibur  2 months ago

If their rules say this doesn't deserve a bounty their bounty program is a sham.

  • addams  2 months ago

    Microsoft's bug bounty program is a shell of its former self. They quietly disqualified a lot of high-impact findings in 2023.

    In my own experience:

    - Leaked service principal credentials granting access to their tenant? $0 bounty.

    - Leaked employee credentials granting access to generate privileged tokens? $0 bounty.

    - Access to private source code? $0 bounty.

    Etc.

    • refulgentis  2 months ago

      I will forever remain radicalized how every tech company decided to just say fuck it in 2023. (ex-Google and left in 2023 over similar shenanigans)

      Should be a major public reckoning over this. But there can't be, they hold the cards, the only real view of this you'd have is day-to-day on Blind and some occasional posts that stir honest discussion here.

      I guess we just get to grin and bear it while they give gold statues and millions to the right politicians.

      2 replies →

    • will4274  2 months ago

      Fwiw, the way it works is that Microsoft doesn't really have a bug bounty program. Individual Microsoft teams have bug bounty programs (or not). Platform teams like Entra, Windows, and Azure have robust programs. However, when teams that operate on top of platforms misconfigure those platforms (as happened here), those bugs are owned by the teams that operate on top of the platform, not by the platform.

      1 reply →

    • userbinator  2 months ago

      Access to private source code?

      Have they already gotten so drunk on "zero trust" that they don't think it should matter if attackers see their source code? Then again, they are open-sourcing a ton of stuff these days...

      1 reply →

  • raesene9  2 months ago

    My own , small, experience with MSRC is indeed their bug bounty program is not good, they take any possible opportunity to avoid payouts.

    this means that a lot of genuine bug bounty hunters just won't look at MS stuff and MS avoid getting things fixed, instead other attackers will be the ones finding things, and they likely won't report it to MS...

sofixa  2 months ago

If Azure's horrific security track record (tens of exploits, often cross-tenant, often trivial) over the past few years doesn't give you pause, their joke of a bug bounty definitely should.

Obviously nobody with power cares about security in Microsoft's Azure branch. Why does anyone trust continue trusting them? (I mean, I know that Azure is not something you buy by choice, you do because you got a good deal on it or were a Microsoft shop before, but still).