Kit Kombat

@theartofkombat

I like stuff and draw things

they/he

COMMISSIONS CLOSED (for now)

Honestly just excited to be here. I'm a Hispanic, bi, non-binary, self-taught artist, burlesque dancer, and witch. I can't really list any favorite things because ND object impermanence. But I do enjoy talking to people and taking commissions when I have the energy, so drop me a line!

Spicy selfies

frisk.chat/kitkombat

Kit Kombat @theartofkombat9/11/2023, 10:05 PM

@lexi

@lexi9/6/2023, 10:00 PM

oh my fucking god we might get a crossover episode soon

if you kept track of my bug bounty adventures: a) i am so sorry and b) there's a good possibility that the microsoft will not only continue, but also have a crossover with another bug bounty odyssey

i think the bug bounty gods have seen me suffer enough and now want me to win because god damn this might get interesting

@lexi9/6/2023, 10:16 PM

like i almost feel bad for how dirty i am doing microsoft and i am SO here for it. get fucked microsoft!!!

i don't have high hopes for a bounty but GOD DAMN this mail i just sent is gonna be a huge headache for a few very nice people at microsoft :)

@lexi9/7/2023, 12:05 PM

just got a response and the ms employee did not even read more than the subject line??

like, completely ignored my question. either way this looks pretty bad for microsoft lol

@lexi9/7/2023, 12:28 PM

ok fuck it this is so stupid im leaking a few details

so basically i can publicly humiliate them now. i can make them look really bad for not paying me, because now i have rock solid proof that they should have paid me. not gonna elaborate why exactly, but here's what i wrote them

Hey there, I kinda forgot about this whole thing and wasn't bothered to write about this, but it came in mind after [redacted]. I am now continuing writing a blog post about this vulnerability, and I can send it to you once it is done if you'd like to review it before making it public.

The thing that motivated me is [a lot of redacted stuff]

Do you want to adjust the bounty on this case or leave a public statement on this to include in my post? Because as of right now, this looks pretty bad for Microsoft's security team and Edge's trustworthiness, and I will definitely be writing about this now that [redacted]

Thanks.

and that is not just an empty threat, i have a lot of leverage here due to [redacted]. this genuinely looks very bad for microsoft, even worse than it looked before.

AND YOU KNOW WHAT THE DUDE AT MS REPLIED??

Hi Lexi,

Yes please, if you will let us review your blog we will return it as soon as possible.

Kind regards,

Jim
MSRC

jim im sorry you completely ignored the question, and i am literally nice enough to give you a chance to fix this disaster and you do nothing lol

so i sent a followup not even 60 seconds after jim sent his email

Hi, you still haven't answered whether you want to adjust the bounty on this case or leave a public statement on this to include in my post. Do you want to make no public statement on this, or will you send that later?

and i know that the dude isnt gonna reply within 24h even though i immediately replied because after all its microsoft but gawddamn this might get spicy. because i either get a bounty after all (but very unlikely), or get to publicly shit on microsoft's security and bug bounty program lol

#also if anyone here is still using edge: please stop

@lexi9/7/2023, 2:31 PM

lol

I will certainly ask our bounty team about a possible adjustment but this case has been reviewed multiple times. If you recall from our conversation July 10, 2023 case managers such as myself have no authority over the bounty program's processes. We do want the researchers that we work with to be successful and certainly rewarded if the report submitted is assessed accordingly. Are you saying that you will disclose the fixed issue unless we pay you bounty?

emphasis mine: no bestie, i will expose the shit that MS has pulled either way :3

also i am considering just asking a few people at big news websites if they want a funny story. for example the verge seems to like exposing MS's shit lol

i also replied to the guy explaining that i am waiting for this to be fixed in prod so i can disclose it, and that i am not blackmailing but giving them a last chance to fix this whole thing and that i will publish about this either way. this is exactly the outcome i wanted, because now either they get shat on by either me or even a big news website, or get less shat on and have to pay me. lmao

@lexi9/11/2023, 6:03 PM

I understand your frustration with our low impact assessment. I have asked the product engineers several times to assess their initial impact finding. Their response is still that this is a low impact vulnerability. I also understand that we [redacted]. We are happy to review your blog statement if you wish to share before publishing?

so basically they understand that they should have paid me, but didnt. i mean, not a big surprise, that was exactly what i expected, but still lol

i'm still going to wait until i leak what [redacted] actually is out of respect to [redacted], but you're seriously gonna laugh about this

You must log in to comment.

in reply to @lexi's post:

one cat in a trenchcoat @rilight9/7/2023, 12:46 AM

oh hell yes, love to see it

in reply to @lexi's post:

Alex Froio @dukecarge9/7/2023, 12:33 PM

wild how different the Edge cybersecurity team works in comparison with their enterprise Cybersec.

Read a post yesterday on how one of their keys leaked and it necessitated, a system crash dump with a race condition that grabbed one of their keys, which their internal system failed to flag that it was IN THE DUMP which it should not be, only to then get moved to a dev environment that was infiltrated by an engineer getting spoofed.

And then there's these posts showing how little MS cares about anything not corporate.

in reply to @lexi's post:

Dana Callista Lexa 🏳️‍⚧️@authorx9/7/2023, 2:57 PM

Holy shit this is so funny thank you for the updates

Unreal @UnrealIncident9/7/2023, 3:46 PM

I honestly can't wait to see the result of this shit show. Definitely made me never want to interact with MS's bug bounty program, I'd rather just drop a 0 day honestly.

stu @stu9/7/2023, 4:28 PM

i'm glad this odyssey is at least bringing you (and me!) some entertainment value

cat @catball9/11/2023, 4:32 PM

lmao what the fuck microsoft. looking forward to this blog post. incredible

@Ongion9/11/2023, 6:51 PM

As someone who works at MS (not Edge though), I have literally never seen anyone say anything good about the MS bug bounty programs. That's a huge problem. I hope they eventually get their shit together.

signal eleven @widr9/12/2023, 1:27 AM

damn that's crazy. anyway i have no power to change anything about this. no i do not have the power to help you talk to anyone who does. it's just the system i guess lol. so sorry! also get fucked lmao. goodbye eternally

in reply to @lexi's post:

summerdeaf @summerdeaf9/11/2023, 6:40 PM

this has been a very fun odyssey to watch I'm very excited to learn what stupid bs microsoft pulled with edge :3

! a creatures !!@problemnyatic9/12/2023, 4:56 AM

every time we see the updates on this we get more excited for the Hot Deets to come out bc its just more of a shitshow every time

Pinned Tags

the art of kombat