When knocking on your door will suffice.

Claiming that he had no choice but to release the bugs publicly seems like nonsense to me. His blog posts doesn't really make him appear rational either.

Since '90' is some arbitrary number some tech elites pulled out of their arses, this researcher should decide on a 90-minute window for "responsible disclosure" so they’re covered. I mean, Microslop are the ones that released a defective product in the wild, they’re the ones to really blame for it being found/exploited in the first place.

> The core of Microsoft's complaints is that the researcher did not attempt to report the bugs so that the company could fix them.

The exact scenario we warned about when the discussions about this "responsible disclosure" nonsense started. Someone needs a reminder that letting you know your software sucks is a courtesy, not something you can demand.

If Nightmare Eclipse did disclose these vulnerabilites to MS already (and if MS refused to act on them), one has to wonder if at least one of them was a deliberate backdoor left in their software (notably Bitlocker) for the benefit of the NSA? It's already well-known that the NSA has had backdoors for Bitlocker since its inception years ago.

The whole 'responsible disclosure' preaching and the not-terribly-subtle threats seem particularly bad given that there's an entire industry of actively more dangerous people who are not only treated as legal but actively courted by state agents and cops(and often even less savory customers, though they tend to be cagey about those); the ones who actively seek to keep vulnerabilities quiet so that they can continue to sell exploit tools and services based on them. Throwing zero days on github isn't ideal vs. getting them fixed; but it gets them fixed faster than if Cellebrite wants to hang on to a bitlocker bypass or Trenchant, and L3Harris Technologies Company, wants to keep selling 'network investigative techniques' that can bypass default windows defender configurations or whatever the situation is.

From the outside it's hard to know whether MS actually mistreated the researcher badly enough to justify their displeasure(the consensus appears to be that MSRC was never the best to deal with and has actively gone downhill; but this person's position seems significantly angrier than average) or whether they are perhaps wound a little tight; but implying that their legal status is the same as people actively running attacks against user systems is blatantly false and totally ignores the class of researchers who do actively run attacks while being treated as respectable.

It's a particularly bad look when at least Facebook got into a public legal fight with the NSO group over their nerd-merc work against their users; not like that actually solved the problem of attacks on cellphones; but it was an all-too-rare case of industry pushing back against the 'respectable' arms dealers; and not one that MS has an analog to.

The company assumes no responsibility when selling software but the user needs to assume responsibly when they find something wrong with the software.

Sorry but the company needs to take better care of it's customers if it wants it's customers to care about the company.

In the US this is protected speech. There is a flaw in published software such that x and y... This is a statement of observed fact no matter how obscure.

Poor form, yes. Illegal, no. To threaten or intimidate rather than fix the fault is reliance on the ancient Microsoft trope security through obscurity. Tolerance of that oppressive behavior makes us less secure, not more.

Closing their account on your service is fair game though. No obligation to host anyone for any reason.

Dealing with aggrieved customers is just a part of doing business with the public. No matter how well you behave some people just have issues, and some will have legitimate complaints. Microsoft is a multitrillion dollar multinational corporation. That comes with the turf.

This has been typical behavior for large companies when dealing with vulnerability reports for decades. Report one, they treat you as the problem. They'll try to ignore it, consider it "not exploitable", delay and deflect as long as they can get away with it, anything but address the vulnerability. And they'll never tell anyone the vulnerability exists. This only changes when they have no choice but to admit to the problem and fix it, usually when the vulnerability is being publicly exploited. They push "r

> [MS' response:] "Threatening to take legal action and call the cops on them."

So I guess we can now call them MicroSLAPP.