this post was submitted on 27 May 2026
818 points (99.2% liked)

Technology

84980 readers
3597 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
818
Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life' — expert claims action is vindictive and promises further retaliation (www.tomshardware.com)
submitted 1 day ago by throws_lemy@reddthat.com to c/technology@lemmy.world
122 comments fedilink hide all child comments
(page 2) 50 comments
sorted by: hot top controversial new old
[–] atrielienz@lemmy.world 145 points 1 day ago (2 children)

If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).

Even if this person is lying I'm more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.

[–] 0x0@infosec.pub 33 points 1 day ago

Microsoft has always been an evil company, but wow they are trying their hardest to reach Gates level of shit

load more comments (1 replies)
[–] SuiXi3D@fedia.io 51 points 1 day ago (2 children)

I wonder if the dude happened to find an internally documented backdoor intended for use by government actors? Or most likely they just don’t wanna deal with it and the perceived fastest way to deal with it is to try and bury it. Both could be true, but I’m just speculating.

[–] starshipwinepineapple@programming.dev 32 points 1 day ago* (last edited 1 day ago) (4 children)

Their april 15th blog post explicitly calls it a backdoor and mentions it was very well hidden. I'm interested to see what comes of this

load more comments (4 replies)
[–] Chais@sh.itjust.works 10 points 1 day ago (2 children)

I was wondering that myself.
I mean, a mechanism that allows you to get the malware scanner to place whatever software you want on a machine, give it system access and then execute it, feels like a prime suspect for "lawful source interception" bullshit.

load more comments (2 replies)
[–] shortwavesurfer@lemmy.zip 88 points 1 day ago (2 children)

And this is why if you're going to post something like this, you host your own git. Or use something like codeberg.

[–] mote@lemmy.ca 52 points 1 day ago (1 children)

The dichotomy here is you can't be famous hosting exploits on smaller forges. Gotta be on the big platforms where you can be starred and forked for social media cred to make news stories to impress your friends. IIRC I think HeartBleed (maybe ShellShock?) was the tip of this popularity iceberg...

[–] panda_abyss@lemmy.ca 27 points 1 day ago (1 children)

Does anyone care about stars?

Openclaw is the most starred repo in years (i wonder why) and is incredibly niche.

Stars are kind of a scam.

[–] NotSteve_@lemmy.ca 24 points 1 day ago (1 children)

I do loosely use stars to gauge how popular a library/framework is before investing a lot of time in it, however, I do also use other metrics like PR count, issues, etc

load more comments (1 replies)
[–] Washedupcynic@lemmy.ca 27 points 1 day ago (4 children)

I'm no expert. Is this an issue where MS is refusing to pay bounties to the researcher for finding the bugs, and MS follows up by deleting the researcher's git hub? Am I missing anything? If I understand the basics, this is how you turn a white hat into a black hat. Good job microslop.

[–] Trainguyrom@reddthat.com 20 points 1 day ago

So the researcher has posted on their blog over the past few months some rants about Microsoft "destroying their life" and vowing to continue to post zero days in retaliation, and has been posting proof of concept code for these zero days to their GitHub.

From their rants (there's a couple of fresh ones including indication that tomorrow will be "one of the hardest days of their life" and that they'll post a big zero day on July 14th) it sounds like Microsoft deleted their account, revoked their access to the responsible disclosure portal and they've had some back and forth discussions in private that they're now making more public

Normally what happens is researchers report vulnerabilities via Microsoft's purpose-built bug bounty portal, and Microsoft can patch these vulnerabilities before they can be actively exploited, and researchers can pocket enough income to make a living entirely off of bug bounties. Obviously this all broke down in the case of this particular researcher so here we are

[–] Bazoogle@lemmy.world 19 points 1 day ago

His blog posts share his side of the story, but Microsoft has not made any comments about what happened.

From March 26:

I never wanted to reopen a blog and a new github account to drop code...

But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.

Then on April 15:

Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.

And one other thing, they do everything but support the research community, I won't disclose details but they sabotage people a lot. I mean just look at the past, Microsoft is the only major company who had a track of multiple vulnerabilities being publicly disclosed just because the researchers were soo upset by how MSRC treated them.

Unfortunately, the folks who have the capacity to stop those disclosures, not only don't care but also seems to push harder for worst exploits to be released, I didn't want to be evil but they are actively poking me to start releasing RCEs which I will be doing at some point...

I will personally make sure that it gets funnier every single time Microsoft releases a patch.

There was a comment on the first post that I feel like is pretty on point, though a bit arm chair psychologist:

You’re a smart guy. Maybe a savant. Just wondering if you’re BiPolar (like me) and see a different reality than what is real. Been there.

[–] KairuByte@lemmy.dbzer0.com 16 points 1 day ago

I don’t think we know enough information to say what the root cause is, but this is definitely not the way to go about anything on the M$ side.

load more comments (1 replies)
[–] green_goglin@thelemmy.club 22 points 1 day ago

Microslop C-Suite boomers really are dumb af

[–] homesweethomeMrL@lemmy.world 37 points 1 day ago

The saga has drawn speculation from other experts, like William Dormann from Tharros, who said that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."

. . . In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are both nearing zero, Microsoft and other software players would do well to adjust their policies.

That's such an insane aside. 90-day disclosure-to-patch. Craziness.

On the other hand, this is exactly the way microsoft has been for - easily - 30 years. Like, 1996 microsoft could be slotted into today and literally nothing would change. Other than Nadella would probably be on a bunch of coke.

[–] devaly@ani.social 40 points 1 day ago (3 children)

and their gitlab is already blocked as well

load more comments (3 replies)
[–] apftwb@lemmy.world 11 points 1 day ago* (last edited 1 day ago) (1 children)

Too bad there aren't any GitHub alternatives for them to post future exploits on.

[–] Jhestyr@lemmy.world 7 points 1 day ago (2 children)

I have to assume being sarcastic. But if not a locally hosted gitea is trivial to set up.

load more comments (2 replies)
load more comments
view more: ‹ prev next ›