Me to MSRC: Words clearly describing a vulnerability, with supporting screenshots of the commands I typed and the response that Windows gives.
MSRC: Can you please provide a video showing the behavior you are seeing?
Me: ...
I get that people doing grunt work have mostly-fixed workflows that they go through with common next steps.
But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?
@hal8999
True. I've seen this across the board with every place that receives vulnerability reports.
Wouldn't it be nice if individuals taking the time to research, discover, and report for coordination vulnerabilities would be given the courtesy of being handled by somebody who understands vulnerabilities as opposed to a worker following a flowchart with zero understanding of what they're talking about?
But no. That's not the world that we live in. 😕
@wdormann I have given up on getting help from Google on anything. If I reported a giant fire-breathing dragon attacking their headquarters, they'd ask for a video and HAR files.
@wdormann Had a problem with my natural gas water heater last week, so I called the supplier. Person who answered asks what my problem is. I explain that the heater burner ignites, but after a few seconds goes out. It then repeats the cycle over and over. I indicated to them the flame sensor is either too covered with carbon and needs to be cleaned, or the sensor is bad. They then proceed to ask me to check to ensure it’s getting power and gas supply, and to confirm it’s on 🤦♂️
@fellows
You gotta start in that flowchart somewhere. 😂
@wdormann if you put these screenshots in a GIF does that count as "Ticks the box" 🙄🙃
@stf
Already done:
https://infosec.exchange/@wdormann/114105225709232478
😂
MSRC to me just now:
As requested, please provide clear video POC (proof of concept) on how the said vulnerability is being exploited? We are unable to make any progress without that. It will be highly appreciated.
Time to make a 10-minute-long video of me pressing enter in CMD.EXE...
@GossiTheDog
I'm about to improve my "malicious compliance" skills...
I get it that kids these days can't comprehend anything that doesn't live in TikTok. But for MSRC to not accept a clearly worded vulnerability report that doesn't have an associated video with it...
Fine. You want compliance? (Malicious) compliance is what you'll get.
https://www.youtube.com/watch?v=fI84ATvG_xw
@wdormann Don't forget to mention that the sound is essential in understanding the exploit.
@wdormann Very nice. You could've added a temple run stream on half the screen for additional brain rot
@wdormann I love the deliberate slow activity. AWESOME
"Don't make vulnerability reporters angry" is not high on anybody's list, it seems.
@wdormann
Sweet soundtrack, would you mind sharing track name?
@wdormann I'd also consider like encoding your report text into an image and making it a 1-frame video
@wdormann Was half-hoping this was a next-level rickroll (but it's an 'i' not an 'L' for anybody typing it at home).
@wdormann (and I probably should have looked up in the thread, there's an actual link up there ;-)).
@wdormann and today they release this 😂
"How MSRC coordinates vulnerability research and disclosure while building community"
@wdormann I once tried to submit a XSS report to a company's security response center and their WAF blocked my request because the report had some XSS payloads in it.
@maodun
I recently had to report something to an AV vendor that had the EICAR string in the PoC.
Despite being in a PGP-encrypted email, they requested that the attachment be put in a password-protected ZIP file. Presumably because their systems quarantined the one I sent. 😂
@wdormann reminds me of MS support cases where you clearly specify you only wish to be contacted via email and during 9-5 business hours, but they call you at 10pm instead.
@wdormann this thread should be used as evidence that trying to help microsoft when they arent paying you is just a bad idea
@wdormann more material for The Register https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/
@wdormann Ey, don't dunk on us, text stuff has become so bad with autogenerated crap that video material has nowadays kinda reached a higher likelihood of quality (until AI catches up), we're just as mad as you. And many platforms very much push video over text as well. It's a friggin scam.
But your PoC is nice, sounds great on 2x even :D
@ljrk
Why bother providing a sentence that can be read, and even copy/pasted, when somebody can convey it to you in an extremely inefficient and annoying manner, amirite? 😬
@wdormann having worked at MSRC back in 2006 and took some of your reports back then. Along with working with you to fix up the issues. This makes me sad. Your reports should be default accepted. You have time and time again proven your worth and skills.
@Killbit
Yes, at some point (around 2006 or so 😂) I've used MSRC as an exemplar of doing security right.
It's quite sad how things have changed...
@wdormann I feel like they watched your video / observed the YouTube URL and were like "oh two can play at this game".
@wdormann You, sir, are an actual legend! And given how much they pissed me off recently… if they pull this on me I may have to take inspiration…
@wdormann can you make it a vertical YouTube short? We have a short attention span and work on our smartphones.
@GossiTheDog @wdormann paid support is definitively outsourced. Not sure about security bug triaging, but probably the same.
@cirriustech
Malicious compliance exists for a reason. 😂
@GossiTheDog @http
I've had lovely exchanges with MSRC in the past (15-20 years ago).
Specifically, I had two individuals that I could call up at any point because I had their phone numbers, and they'd happily discuss security issues. But that time has long elapsed.
At some point I gave up on them, and these exchanges just reinforce my decision. 😬
@wdormann Welp, you made El Reg.
https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/
Congratulations?
@wdormann And you do it so well! I’ve just complained that 13 days in the only thing I’ve had other than auto responses is that from Thursday until yesterday my case was “on hold” due to “additional information needed”, referring to the activity list to tell me what they needed but there being nothing there about what info they needed.
They annoyed me on my previous two recent cases too
I’ve just asked if I need to set a public disclosure date to get any meaningful response (my previous two had disclosure dates set when I raised them)