if you kept track of my bug bounty adventures: a) i am so sorry and b) there's a good possibility that the microsoft will not only continue, but also have a crossover with another bug bounty odyssey
i think the bug bounty gods have seen me suffer enough and now want me to win because god damn this might get interesting
like i almost feel bad for how dirty i am doing microsoft and i am SO here for it. get fucked microsoft!!!
i don't have high hopes for a bounty but GOD DAMN this mail i just sent is gonna be a huge headache for a few very nice people at microsoft :)
like, completely ignored my question. either way this looks pretty bad for microsoft lol
so basically i can publicly humiliate them now. i can make them look really bad for not paying me, because now i have rock solid proof that they should have paid me. not gonna elaborate why exactly, but here's what i wrote them
Hey there, I kinda forgot about this whole thing and wasn't bothered to write about this, but it came in mind after [redacted]. I am now continuing writing a blog post about this vulnerability, and I can send it to you once it is done if you'd like to review it before making it public.
The thing that motivated me is [a lot of redacted stuff]
Do you want to adjust the bounty on this case or leave a public statement on this to include in my post? Because as of right now, this looks pretty bad for Microsoft's security team and Edge's trustworthiness, and I will definitely be writing about this now that [redacted]
Thanks.
and that is not just an empty threat, i have a lot of leverage here due to [redacted]. this genuinely looks very bad for microsoft, even worse than it looked before.
AND YOU KNOW WHAT THE DUDE AT MS REPLIED??
Hi Lexi,
Yes please, if you will let us review your blog we will return it as soon as possible.
Kind regards,
Jim
MSRC
jim im sorry you completely ignored the question, and i am literally nice enough to give you a chance to fix this disaster and you do nothing lol
so i sent a followup not even 60 seconds after jim sent his email
Hi, you still haven't answered whether you want to adjust the bounty on this case or leave a public statement on this to include in my post. Do you want to make no public statement on this, or will you send that later?
and i know that the dude isnt gonna reply within 24h even though i immediately replied because after all its microsoft but gawddamn this might get spicy. because i either get a bounty after all (but very unlikely), or get to publicly shit on microsoft's security and bug bounty program lol
I will certainly ask our bounty team about a possible adjustment but this case has been reviewed multiple times. If you recall from our conversation July 10, 2023 case managers such as myself have no authority over the bounty program's processes. We do want the researchers that we work with to be successful and certainly rewarded if the report submitted is assessed accordingly. Are you saying that you will disclose the fixed issue unless we pay you bounty?
emphasis mine: no bestie, i will expose the shit that MS has pulled either way :3
also i am considering just asking a few people at big news websites if they want a funny story. for example the verge seems to like exposing MS's shit lol
i also replied to the guy explaining that i am waiting for this to be fixed in prod so i can disclose it, and that i am not blackmailing but giving them a last chance to fix this whole thing and that i will publish about this either way. this is exactly the outcome i wanted, because now either they get shat on by either me or even a big news website, or get less shat on and have to pay me. lmao
