oh god lmao yeah i did not update you guys but tl;dr (its long but the whole story would be 10x longer)
tldr of the tldr of the story so far: i found a funny vuln in microsoft edge. you can do various things like starting a systemwide keylogger, grabbing the clipboard and a bunch of other sensible stuff. microsofts bad BBP platform left me hanging for a few months until i came into contact with an actual human, but said human (aka the ms guy) COMPLETELY misunderstood the {scope of the} vuln and did not bounty me for that reason {yet}.
- the ms guy still doesnt understand the vuln
- a lot of stupid emails were exchanged explaining very in-depth what the vuln is
- the ms guy asked me a PoC for an RCE that i never mentioned (???)
- i made another PoC, this time with two virtual machines and an actual web service with google oauth which steals real google account credentials and displays them
- i did not get a response in 3 weeks again
- i found out via twitter that the guy vent on vacation for three weeks and nobody told me
- a few days later i got a response and the ms guy told me to submit a new vuln with that PoC (???????????)
- that was a) extremely unprofessional and b) extremely shady because it would (rightfully so) be a duplicate so i publicly leaked a few details and posted how shitty their communication was on twitter and tagged microsoft and i got a response from the social media guy (who was really friendly & helpful, shoutout to that guy) and got a "ill be back soon" from the ms guy
- as if that wasn't enough, i found out a day later that microsoft changed the status to pre-release on ms's bbp platform (after accidentally setting it to review/repro for 5 seconds lol), and of course i did not get a notification for this
- two days later i was casually scrolling on twitter when i found a thread about a bunch of MS vulnerabilities being fixed
- one of the CVEs sounded really familiar, and i was very amused that someone found a similar issue and got a CVE ID assigned for it but not me
- upon closer inspection i found out that was in fact my fucking vulnerability
- yes, i deadass found out that i had a CVE ID by reading a twitter thread
- no, nobody notified me
- yes, i am properly credited on the CVE and its >6, so not low (not like the ms guy told me)
- as if that is not bad enough, now the ms guy wanted to have a microsoft teams with the microsoft edge engineering team
- i told him when i was available and that i have time in the next few weeks
- the dude then scheduled a meeting for almost 6 weeks later
- this on its own is bad, but it gets worse:
- he scheduled it on the 10th july
- i am on vacation in italy from the 10th to the 16th
- even better, he scheduled it on the exact time when i am going to be sitting in a car in the middle of europe without a stable internet connection
- i asked for another date and he told me that another date would be a lot longer away in the future
- i now had to re-schedule everything, and i am going to hop on a teams meeting minutes after checking into my hotel in italy
- i still have no clue if i am going to get any bounty
yeah. please sell your vulns on the darknet
