Comment by NagatoYuzuru
14 hours ago
> the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently fixed the bug
Classic MSRC. It has figured out that researchers will report for free regardless. Why change?
MSRC doesn’t fix bugs.
I don’t know the specifics of this case, but I’ve managed bug bounty programs in the past through Bountysource and HackerOne. One thing that occasionally happens is that a report makes its way to the development team before the security team has fully assessed it, in this case MSRC.
At that point, a developer may decide to quietly fix the issue. Sometimes that’s driven by a concern, rational or not, that being associated with a security bug could reflect poorly on them or affect future promotion opportunities. The result is that by the time the security team attempts to reproduce the report, the vulnerability is already gone.
From MSRC’s perspective, all they see is that the provided reproduction steps no longer work. They have no visibility into the internal history of the bug or whether someone already patched it. As a result, the report gets closed as invalid even though the original finding may have been legitimate.
That makes sense but doesn't excuse the behavior. Just because there is poor communication within Microsoft doesn't make it okay to silently patch a vulnerability. Also, looking at the timeline on OP's post from 2023 it seems they patched it and closed the bug on the same day which is a little sus .
> They have no visibility into the internal history of the bug or whether someone already patched it.
Aww man, if only they owned some sort of platform for tracking those, powered by some sort of program. Doesn't even have to be a smart problem, it can be, succintly, shortly, stupid. If only.
If only there were some kind of system for recording the version history and viewing what changes had been made to the code between releases.
Your post reads like "This doesn't happen, except when it happens and the person has no recourse and it does in fact happen." - why make the post at all? If your internal workings fuck over someone externally prepare for your department to take the blame even if its "not your fault" - you work at the company that just fucked them over.
Nonsense. As if there are no versions for their software releases.
This is laziness, security absolutely could verify these steps.
Sure, given infinite time, they could diligently try to reproduce every bug across every version of any given product or open source library from a team at Microsoft.
However, if you have 1000s of reports a day, many of them vague with the person hoping it's close enough to a real issue to get paid, it makes sense to me personally that one needs prioritize active issues over tracking down when other issues were fixed.
It was the status quo for a long time, then the pesky security researchers started asking for compensation instead of clout.
> instead of clout
I'm catching up on the infosec twitter side but it seems like it was even worse. A lot of people have the same story as me in 2023 of "they silently patch the bug and don't even credit you" which really stinks.
It definitely reminds me of the stereotypes of big business types stepping on the little guys to climb the ladder.
I hope you get credit where credit is due in future endeavors.
Do it for the exposure! Artists of many stripes have had to combat that for ages.