Bill3d ago

Good writeup on @wdormann's recent efforts.

https://securityaffairs.com/190400/breaking-news/experts-published-unpatched-windows-zero-day-bluehammer.html

#0day #microsoft

Experts published unpatched Windows zero-day BlueHammer - Security Affairs

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet. A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports. The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security […]

Security Affairs
Show threadcR0w   3d ago
@Sempf @wdormann Wait that was Will?! 
Show threadWill Dormann3d ago

@cR0w @Sempf
I didn't discover the vulnerability or make the exploit. I merely looked at it after it was published. Now that I'm allowed to talk infosec publicly again.

I also shared my thoughts about what it's like to work with MSRC these days. 😂

Show threadcR0w   3d ago
@wdormann @Sempf Ah, got it. Still cool. It's open in a tab to read tomorrow when I have have a functioning brain cell again.
Show threadWill Dormann3d ago
@cR0w @Sempf
It's kind of neat. And slightly complex.
But essentially the consequences of pissing off security researchers wanting to do the right thing.
Show threadcR0w   
@wdormann @Sempf We need more of that.
Apr 8 at 3:28amWeb
Show threadViss3d ago

@cR0w @wdormann @Sempf no more free security work

[edit]: no more free security work for giant megacorps that could trivially afford to pay you very very well but literally dont out of spite and greed. help tiny companies, the little guy, foss projects..

if the org makes over a billion a year, no more free infosec

Show threadWill Dormann3d ago

@Viss @cR0w @Sempf
That's completely fair. There are some big for-profit companies that don't even do the bug bounty thing. So in that case, it's as free as it gets.

And for those that do bounties, what's sort of hand-waved over is that those bounties merely pay for your silence. Not for your work.

Show threadViss3d ago

@wdormann @cR0w @Sempf or they do what keeps happening to me
- they find a way to claim its out of scope
- add language to the bounty to retcon that into existence
- fix the bug
- i get fucked

i dont do bounties anymore.
its like 5 in a row now