nice to know that microsoft doesn't bounty CVSS >6 bugs that require user interaction. a proof of concept doing stuff like sandbox escapes, clipboard reading, mic access etc without consent is apparently "low severity" :) just sell your vulns to the highest bidder, MSRC is a scam
also now that im sure that i will not get paid, i'll release all details publicly soon. in the meantime: please, for the love of god, do not use microsoft edge (or other MS stuff), because their engineers did not even bother to read the chromium/upstream UI security documentation
minutes after sending that on twitter i got not one but two rushed emails:
Hi Lexi,
Thank you for attending the call today and working with us to resolve your concerns. As discussed, please submit potential vulnerabilities separately with a valid POC, steps to reproduce the potential vulnerability, and evidence supporting the POC - video, images, or screen shots.
Thank you again for help to keep Microsoft customers safe.
noteworthy here is that i never told them my name. the fucking namesearched me and tried to subtly subtweet me but fucked up by using my name, which i never told them lmfao
second email seemed a bit more desperate and they admitted what they were doing:
Hi Lexi,
I understand via a Twitter tweet that you will publicly disclose the issue we discussed. We ask that researchers work with us on any disclosure since it might put Microsoft customers at risk. We are happy to review any blog or statement.
oh so NOW its important lmfao. what a bunch of scumbags. so i continued playing their silly game and tweeted the following in the same thread:
hey [employee]! its not that i submitted the wrong PoC, your rating system is just straight up hostile towards security researchers. if being able to steal whole accounts with a vuln is not worth bountying, i have zero reason to legitimate or participate in the joke that MSRC is.
anyways if you and your team decides that maybe its not a good idea to not bounty people who put hard work into your security (because otherwise why on earth should i help you if i get nothing in return?) feel free to think about changing your mind. ill just enjoy my vacation now
i wont disclose it for a while because hanging out in italy is way more fun than leaking/giving MS free labor but please have a hard think about [the second] email. maybe you should reward people for giving *you* info that may put customers at risk than just selling to the highest bidder
ill just enjoy being baked alive in italy (37°C is hot) for a while now and see if they will namesearch me again, and if not send a mail back pointing their hypocrisy out and if thay doesnt work i will leak EVERYTHING. trust me you guys will actually loose your minds when i publish the dumbest fucking email i have ever received in my whole life. also i think a lot of tech magazines and infosec people would also find this very interesting, so even if i dont get any cash from this (which, realistically, is a 99% chance) its gonna be a pr nightmare for them. lol
also remember when i said that searching for edge rces might be a solid job? im actually considering searching for one and selling it lol
