Microsoft wouldn't look at a bug report without a video. Researcher maliciously complied
- Reference: 1742203806
- News link: https://www.theregister.co.uk/2025/03/17/microsoft_bug_report_troll/
- Source link:
Senior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center (MSRC) with a clear description of the bug and supporting screenshots, only to be told that his report wouldn't be looked at without a video.
MSRC told Dormann: "As requested, please provide clear video POC (proof of concept) on how the said vulnerability is being exploited? We are unable to make any progress without that. It will be highly appreciated."
[1]
Frustrated with Microsoft's demand, which Dormann said would only show him typing commands that were already depicted in the screenshots, and hitting Enter in CMD, the analyst created a video laden with malicious compliance.
[2]
[3]
The [4]video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the "Center for Kids Who Can't Read Good."
It also features a punchy techno backing track while wasting the reviewer's time with approximately 14 minutes of inactivity.
[5]
Dormann [6]said via Mastodon: "I get that people doing grunt work have mostly fixed workflows that they go through with common next steps.
"But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?"
To top it all off, when trying to submit the video via Microsoft's portal, the upload failed due to a 403 error.
[7]
Dormann's complaints coincidentally came on the same day MSRC published a [8]blog highlighting the strengths and key features of its coordinated vulnerability disclosure program.
Requiring a POC video - in addition to screenshots - as part of a [9]vulnerability disclosure isn't often required in the industry.
CISA uses the Vulnerability Information and Coordination Environment (VINCE), run by Carnegie Mellon, to receive vulnerability reports. It has the option to include a single 10 MB file to support written reports and additional files can be sent directly upon request, where necessary.
Public sector organizations in the UK tend to follow the advice issued by the [10]National Cyber Security Centre (NCSC), which also doesn't mandate a video report. A short description of the issue and details of how to reproduce the bug are the only requirements. This is generally standard practice, though not universal.
[11]Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
[12]Expired Juniper routers find new life – as Chinese spy hubs
[13]This is the FBI, open up. China's Volt Typhoon is on your network
[14]Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
The Register contacted Microsoft for a response.
We also asked Dormann for additional input. He said requests for video can be found on other platforms such as HackerOne and Bugcrowd but in his opinion, requiring one signals to researchers that the reviewer is merely following a process rather than understanding the report itself.
As the post and video suggest, he was unimpressed by MSRC's refusal to proceed with the vulnerability report just because a video wasn't submitted in tandem.
"If a researcher is going out of their way to be nice to vendors and writing up vulnerability reports to share with them, the least the vendor could do is at least pretend to be taking it seriously," said Dormann.
"I reported three related but different vulnerabilities to Microsoft recently. Two of them requested video evidence of exploitation (for things that don't even make sense to have a video of, thus my malicious compliance example that I posted), and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didn't bother actually reading what I submitted. Researchers doing the 'right thing' deserve better."
Dormann is still waiting to hear back from Microsoft after sending them the video. ®
Updated to add at 1010 UTC, March 17
Redmond messaged The Register this morning about the request, and apparently those who like bounty should comply. A spokesperson told us in an emailed message: "In some cases, our team may ask a security researcher to provide additional evidence with their vulnerability submission. This is not a requirement but can assist in ensuring accurate assessment and potential bug bounty reward."
Get our [15]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z9gA1zfmiQq7f-id6OCt4QAAAQI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9gA1zfmiQq7f-id6OCt4QAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9gA1zfmiQq7f-id6OCt4QAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.youtube.com/watch?v=fI84ATvG_xw&ab_channel=AnonymousTablet
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9gA1zfmiQq7f-id6OCt4QAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://infosec.exchange/@wdormann/114155428150022282
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9gA1zfmiQq7f-id6OCt4QAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.microsoft.com/en-us/security/blog/2025/03/13/how-msrc-coordinates-vulnerability-research-and-disclosure-while-building-community/
[9] https://www.theregister.com/2024/03/05/rapid7_jetbrains_vuln_disclosure_dispute/
[10] https://www.theregister.com/2024/12/03/ncsc_annual_review/
[11] https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critical/
[12] https://www.theregister.com/2025/03/12/china_spy_juniper_routers/
[13] https://www.theregister.com/2025/03/12/volt_tyhoon_experience_interview_with_gm/
[14] https://www.theregister.com/2025/03/12/patch_tuesday/
[15] https://whitepapers.theregister.com/
Re: May I recommend...
Can you dance the PoC?
->
this coat is used for dancing,
and that is what I'll do,
I'm gonna dance all over you
clear evidence that the MSRC handler didn't bother actually reading what I submitted
That's pretty much par for the course for any support request to Microsoft. They skim-read the comment, pick out a few isolated words, and then copy&paste an irrelevant response asking you to try all the obvious things that you've already done. Then they ask you to upvote them for being helpful.
And an AI can't do that?
Don't be silly, an "AI" might accidentally give a helpful, useful and even relevant reply.
What a shame if Microsoft get pwned from a trogen delivered via a video submitted using this route.
This reeks of Microsoft 365 Support Syndrome where, no matter how absolutely fucking crystal clearly I made the issue in the initial description, the technician will ALWAYS ask for a remote session, will ALWAYS ask for a phone call even though I specified I prefer email, and will ALWAYS be nigh fucking unintelligable when they do get on the phone. And when we go through the screen sharing merry-go-round and I show them exactly what the screenshots showed and do the exact same troubleshooting and debugging steps I ALREADY TOLD YOU I DID, you are still fucking surprised it doesn't work and have to "escalate the issue" because there's nothing after step four in your stupid fucking internal guide and the Microsoft docs doesn't have an answer for you to quote because I already looked just like I told you .
I'm sorry can you tell I'm fed up. Especially considering this support costs thousands of dollars.
Honestly I just started putting single sentences in my tickets because it's about as effective. I know I will be forced regardless to slowly re-explain my case to some bored dude from Zimbabwe that doesn't care I exist so why should I even bother.
"Especially considering this support costs thousands of dollars."
Wait, what? That sounds exactly like my experience, difference being i pay fuck all for support. That's egregious.
Let me guess, this call always takes place within the SLA timeframe, but the can they kicked down the road takes a while to be picked up?
It depends on your licensing model, which is itself an actual nightmare. I work in education and the choices they give you are all 3 letter acronyms and have changed completely at least four times in the past maybe 10 years, requiring new contract negotiations, new pricing, etc. Not to mention you have to wait for your reseller to even begin to understand the licensing changes too, and pray their license manager actually knows what they're doing and doesn't screw something up. This is outside of course them deprecating and now removing VLSC for end users, replacing it with the ugly and until very recently severely less functional Microsoft Admin licensing tab.
With the latest education model, I believe support is not bundled in to the subscription pricing and you have to pay for it. But unlike at $job[-2] I haven't seen the contract and can only regurgitate the rumors around the office, so take that with a grain of salt. I don't even know what they're calling it anymore, it used to be OVS and then EES and who knows what it is now with the introduction of 365 into everything. Last I did any license management was before the Office 365 rebranding so I'm a bit out of date.
And yes, we have a SLA for initial contact only. Anything after that is ¯\_(ツ)_/¯
That's happens...
... when tech support is moved to Dumbai.
Re: That's happens...
...when tech support is not properly trained.
FTFY. First-line tech support is almost universally shit in my experience, it just happens that India is a cheap place to outsource.
Nasty suspicion
" Two of them requested video evidence of exploitation (for things that don't even make sense to have a video of[...]), and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didn't bother actually reading what I submitted. "
Could it be that M$ are staffing their 'MSRC' with folks who don't actually have much (or any) actual expertise? So they can follow a video exposition from start to outcome, but with zero understanding of what's actually happening (and for the same reason can't make use of a textual exposition). So it's possibly not so much " didn't bother actually reading " as "couldn't make head or tail of the text". This, if it's the case, exemplifies the burgeoning population of "techies" who can cope with the externals of tech but haven't a clue about what goes on under the hood. They're bringing the technologies to their knees, but they're cheaper to hire than the fully informed.
Not just MS
I have an outstanding ticket with a company. I have detailed steps on this, the problem, screen shots and so on. I have even had 3 remote calls, 2 recorded showing the issue and what needs to be fixed.
Last "resoliution" I had was "you changed xxxx and so it has not applied. Please revert".
I point out that what they are saying is not the cause, it is not the problem. The fact that underlying critical components are missing and cannot be reinstalled / repaired is the problem...
they have not probably lost quite a big sale on that
File too big
Occasonally tried to send a report with a video and get told the Video is too big - no matter what I have tried to do to the video / colour settings etc.
Then get asked to "attach the video" and point I cannot as I am told it is too big, and oh, i cannot send via email as it is..... too big
The result of spending years burying tech help in 10 minute YouTube videos...
... is now you need to submit a video for everything.
May I recommend...
Putting the video up on TikTok too ?
See how fast those a$$holes at MS will react to it then...