Hacker News new | comments | ask | show | jobs | submit login

"After an email exchange that lasted over two months, “Brian” informed us on August 1, 2015, that the ability to share documents via short URLs “appears by design” and “does not currently warrant an MSRC case.”

What is it with these large companies ignoring serious security issues while paying attention to smaller ones? I reported something to Facebook that was a moderate privacy concern and got a bug bounty. A few months later, I discovered that I could make Facebook falsely report the domain that a posted URL goes to, and they denied that it was even a bug. So I could share a URL on mydomain.com, customize the contents of the share posting ("Obama says he's going to nuke Russia"), and Facebook would show users in the post that the link goes to Whitehouse.gov or CNN.com or any other domain I choose. This still works perfectly.

These companies really need to take a look at the analytical abilities of those they are employing to screen bug reports.




One also needs to take into account how these larger companies' internal groups function.

"Brian" probably looked into it, knowing that obscurity != security, but got a response back from the group responsible that was the way they intended it to work, and that group's management wasn't going to do anything about it. "Brian" may have even put messages in the right ear up the management chain such that it would actually effect the outcome.

The fact that the email exchange lasted 2 months before "Brian" said "Sorry, not a case." probably means that "Brian" was trying to make it happen and had actually done an analysis.

* Note: I'm NOT Brian. I've never worked for Microsoft.


Probably some metric says that if "Bob" gets less than X cases per year he gets a bonus. Problem is "Bob" determines "Frank's" wage and "Frank" is "Brian's" boss. It is probably more complicated than that but that's what it always boils down to.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: