Josh Bressers15h ago
Space Rogue

Companies will put up all kinds obstacles to responsible disclosure for researchers to get around to make their own lives easier. But they often forget that in the end it is researcher who calls the shots. It is the researchers vuln and they can do whatever they want with it.

https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/#comments

#vulnerability #disclosure #responsibledisclosure #windows #microsoft

Disgruntled researcher leaks “BlueHammer” Windows zero-day exploit

Exploit code has been released for an unpatched Windows privilege escalation flaw reported privately to Microsoft, allowing attackers to gain SYSTEM or elevated administrator permissions.

BleepingComputer
11:52amMastodon for iOS
Show threadLee Holmes 10h ago

@spacerog I agree with your point in general. It's odd that you're using a Microsoft case as the example. Microsoft was among the first companies to push for not calling it "Responsible Disclosure" for exactly the reason you point out. https://www.microsoft.com/en-us/msrc/blog/2010/07/coordinated-vulnerability-disclosure-bringing-balance-to-the-force

For this specific case, who knows where the difference of opinion was - the github is super low on details.

Coordinated Vulnerability Disclosure: Bringing Balance to the Force