upvote

points

by tptacek17 hours ago |
comments
upvoteby SCHiM17 hours ago|
next
[-]
Microsoft's policy is: "if you contact us with a vulnerability, you automatically agree to the terms of our responsible disclosure policy", which includes waiting 30 days after patch was created, and says nothing about how long that process takes.

There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all...

reply
upvoteby robocat4 hours ago|
parent|
next
[-]
> terms of our responsible disclosure policy

I couldn't find a public copy of that.

The best starting point I found for reporting vulnerabilities was: https://github.com/microsoft/MSRC-Security-Research/security...

You can email without agreeing to anything. But for a serious issue Microsoft would obviously try and track down who you are and what jurisdiction you are in.

reply
upvoteby SCHiM4 hours ago|
parent|
[-]
https://www.microsoft.com/en-us/msrc/bounty-guidelines

> MICROSOFT BOUNTY TERMS & CONDITIONS

> Last updated: July 23, 2025

> The Microsoft Bug Bounty Programs Terms and Conditions ("Terms") cover your participation in the Microsoft Bug Bounty Program (the "Program"). These Terms are between you and Microsoft Corporation ("Microsoft," "us" or "we"). By submitting any vulnerabilities to Microsoft or otherwise participating in the Program in any manner, you accept these Terms.

Who knows if its enforceable.

reply
upvoteby leni5361 hours ago|
parent|
[-]
This seems to be sloppy wording, with the intent of "we only offer the bounty under these terms". Maybe my interpretation is too charitable.
reply
upvoteby leni53617 hours ago|
parent|
prev|
next
[-]
I wonder if "if you contact us... you automatically agree" stands in court. That's just ridiculous.
reply
upvoteby tptacek17 hours ago|
parent|
[-]
Reader, it does not.
reply
upvoteby prmoustache15 hours ago|
parent|
prev|
[-]
Since no contract is signed, this is just pure fantasy from your part.
reply
upvoteby _yttw17 hours ago|
prev|
[-]
You're right, they don't need to. They have an alternative, to accept what people say or think about them in response. That's what I said.
reply
upvoteby expedition3212 hours ago|
parent|
[-]
So how do we feel about Linux distributors who have their heads up their asses and sat on their hands for 30 days?
reply