Responding to bug bounty reports is a thankless job. Especially these days it's a flood of AI spam, language barriers, "pay me first", incomplete reports, huge egos, and people who think every find should be treated as a critical vulnerability. The people who handle these reports often do so after-hours or on holidays. In smaller companies they're also often the ones who manage the triage, patching, testing, and security release process. In larger companies they have to find owners for every line of code and convince those code owners of the severity (often knowing that neither or them will be rewarded for doing the work).
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
I had Claude code up a Slack bot so I could play any Z-machine game co-op with friends. We started up Zork 1, wandered the available map, made it to the cellar, walked north, and hit a room that was insta-death. We still haven't gotten back into it.
The absence of any explanation for the suspension does seem intentional. If it were me that's one of the first things I would've asked so that I could make sure it doesn't happen again.
The exploit they chose assumes ASLR is disabled for simplicity's sake, but if you read the full writeup they say they could've used the vulnerability to map memory layout. It's nice to have ASLR but some types of vulnerabilities can be used to bypass it.
Well, they do provide jobs and tend to stay around for a while given the large investments needed to establish one. There is a big one about 15 km from where I live, it smells about the same as a wastewater treatment plant. There was one close to where I lived while in university as well (another era, another country) which mostly smelled of warm paper, no bad smells. All in all there are worse industries to have around.
I watched the talk as well and it's very interesting. But isn't this just a buffer overflow in the NFS client code? The way the LLM diagnosed the flaw, demonstrated the bug, and wrote an exploit is cool and all, but doesn't this still come down to the fact that the NFS client wasn't checking bounds before copying a bunch of data into a fixed length buffer? I'm not sure why this couldn't have been detected with static analysis.
All it takes is one wrong person to be assigned as a report comes in, a person who doesn't understand the real value of a bounty program, or one person having a bad day to completely ruin a company's reputation. It seems like that might have happened here (of course MS has done this before so who knows if it'll matter in the end).
Microsoft needs to be completely transparent and to do so immediately. They should, with the reporters permission, release all communications. They can exclude technical details if patches aren't available yet. Doing anything less is going to prevent a lot of people from using their bounty program in the future and we'll all be worse off for it. They almost certainly made a mistake and they need to own up to it.
reply