Researcher trolls Microsoft over bug disclosure annoyance The Register

pA vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanationppSenior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center MSRC with a clear description of the bug and supporting screenshots only to be told that his report wouldnt be looked at without a videoppMSRC told Dormann As requested please provide clear video POC proof of concept on how the said vulnerability is being exploited We are unable to make any progress without that It will be highly appreciatedppFrustrated with Microsofts demand which Dormann said would only show him typing commands that were already depicted in the screenshots and hitting Enter in CMD the analyst created a video laden with malicious complianceppThe video is 15 minutes long and at the foursecond mark flashes a screenshot from Zoolander in which the protagonist unveils the Center for Kids Who Cant Read GoodppIt also features a punchy techno backing track while wasting the reviewers time with approximately 14 minutes of inactivityppDormann said via Mastodon I get that people doing grunt work have mostly fixed workflows that they go through with common next stepsppBut to request a video that now captures beyond my alreadysubmitted screenshots the act of me typing and the Windows response being painted on the screen adds what of value nowppTo top it all off when trying to submit the video via Microsofts portal the upload failed due to a 403 errorppDormanns complaints coincidentally came on the same day MSRC published a blog highlighting the strengths and key features of its coordinated vulnerability disclosure programppRequiring a POC video in addition to screenshots as part of a vulnerability disclosure isnt often required in the industryppCISA uses the Vulnerability Information and Coordination Environment VINCE run by Carnegie Mellon to receive vulnerability reports It has the option to include a single 10 MB file to support written reports and additional files can be sent directly upon request where necessaryppPublic sector organizations in the UK tend to follow the advice issued by the National Cyber Security Centre NCSC which also doesnt mandate a video report A short description of the issue and details of how to reproduce the bug are the only requirements This is generally standard practice though not universalppWe also asked Dormann for additional input He said requests for video can be found on other platforms such as HackerOne and Bugcrowd but in his opinion requiring one signals to researchers that the reviewer is merely following a process rather than understanding the report itselfppAs the post and video suggest he was unimpressed by MSRCs refusal to proceed with the vulnerability report just because a video wasnt submitted in tandemppIf a researcher is going out of their way to be nice to vendors and writing up vulnerability reports to share with them the least the vendor could do is at least pretend to be taking it seriously said Dormann ppI reported three related but different vulnerabilities to Microsoft recently Two of them requested video evidence of exploitation for things that dont even make sense to have a video of thus my malicious compliance example that I posted and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didnt bother actually reading what I submitted Researchers doing the right thing deserve betterppDormann said he was still waiting to hear back from Microsoft after sending them the video But Redmond messaged The Register on Friday about the request and apparently those who like bounty should comply A spokesperson told us In some cases our team may ask a security researcher to provide additional evidence with their vulnerability submission This is not a requirement but can assist in ensuring accurate assessment and potential bug bounty reward ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p