Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
NagatoYuzuru 4 hours ago

> the last time I interacted with MSRC regarding reporting a VSCode bug, it was a horrible experience where they silently fixed the bug

Classic MSRC. It has figured out that researchers will report for free regardless. Why change?

guessmyname 3 hours ago | parent | next [-]

MSRC doesn’t fix bugs.

I don’t know the specifics of this case, but I’ve managed bug bounty programs in the past through Bountysource and HackerOne. One thing that occasionally happens is that a report makes its way to the development team before the security team has fully assessed it, in this case MSRC.

At that point, a developer may decide to quietly fix the issue. Sometimes that’s driven by a concern, rational or not, that being associated with a security bug could reflect poorly on them or affect future promotion opportunities. The result is that by the time the security team attempts to reproduce the report, the vulnerability is already gone.

From MSRC’s perspective, all they see is that the provided reproduction steps no longer work. They have no visibility into the internal history of the bug or whether someone already patched it. As a result, the report gets closed as invalid even though the original finding may have been legitimate.

anonbanana 2 hours ago | parent | next [-]

That makes sense but doesn't excuse the behavior. Just because there is poor communication within Microsoft doesn't make it okay to silently patch a vulnerability. Also, looking at the timeline on OP's post from 2023 it seems they patched it and closed the bug on the same day which is a little sus .

peterkelly 18 minutes ago | parent | prev | next [-]

If only there were some kind of system for recording the version history and viewing what changes had been made to the code between releases.

moi2388 an hour ago | parent | prev [-]

Nonsense. As if there are no versions for their software releases.

This is laziness, security absolutely could verify these steps.

natpalmer1776 4 hours ago | parent | prev [-]

It was the status quo for a long time, then the pesky security researchers started asking for compensation instead of clout.

ammar2 4 hours ago | parent | next [-]

> instead of clout

I'm catching up on the infosec twitter side but it seems like it was even worse. A lot of people have the same story as me in 2023 of "they silently patch the bug and don't even credit you" which really stinks.

natpalmer1776 3 hours ago | parent [-]

It definitely reminds me of the stereotypes of big business types stepping on the little guys to climb the ladder.

I hope you get credit where credit is due in future endeavors.

opello 3 hours ago | parent | prev [-]

Do it for the exposure! Artists of many stripes have had to combat that for ages.