Kevin Beaumont4d ago

I’m deeply uncomfortable with Microsoft attempting to weaponise their extensive law enforcement contacts to arrest people who post zero days in the products.

It comes after the researcher was kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), after they were doxxed on Twitter and had their MSRC - Microsoft vulnerability reporting portal - account disabled.

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

Show threadKevin Beaumont4d ago
Do I think the finder was acting rationally? No. Do I think Microsoft gets to decide what is criminal activity around proof of concept exploits? No.
Eric Schultz4d ago
Show threadKevin Beaumont

GitHub has long been a source for zero days exploits in competitor products - it still is. While I worked there GitHub had a policy saying they wouldn’t remove them.

By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon.

May 28 at 11:48amWeb
Show threadDavid Chisnall (*Now with 50% more sarcasm!*)4d ago

@GossiTheDog

I wonder if anyone in CELA signed off on simultaneously doing a thing and publicly declaring that doing that thing is criminal behaviour.

Show threadBloognoo4d ago
@GossiTheDog
So that's why linux is getting the press about zero days when windows is still the most rickty shit you ever saw
Show threadLykso4d ago
@GossiTheDog Shit, Microsoft was basically *built* on the other side of the Rubicon, to torture the analogy. Never have they ever been accused of being ethical.
Show thread2xfo4d ago
@lykso @GossiTheDog
Microsoft attained market dominance in the eighties by scaring people with fake error messages, so yeah. People should remember better
Show threadJames S4d ago
@RnDanger @lykso @GossiTheDog remember "different"
Show threadzaicurity4d ago
@GossiTheDog I was actually surprised that the repos weren’t taken down sooner given Microsoft’s track record with similar cases affecting their products.
Show threadSky, Cozy Goth Prince of Cats4d ago
@GossiTheDog To add, according to Low Level's video on the subject, Microsoft marked previous zero days the person reported as ineligible for its bug bounty program (saying administrator to kernel/system access is not a security boundary).
Show thread0xC01DC0FFEE ↦ GPN3d ago
@GossiTheDog that sounds like it should be illegal somehow, wow