alt Hacker NewsNo idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
Replies
It all started because the bureaucracy refused to even consider Bluehammer when they couldn't cajole the reporter into providing video footage.
And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
The bug this guy brings up is very obviously a Bitlocker backdoor and raises very serious questions about what Microsoft is doing with the encryption. Pretty certainly they're able to decode the volumes without the user's key, which is extremely concerning.
Looks like they're trying to make it disappear, but it's in the wild now.
If they were smart after the ban, they'd hire him for mucho dinero. These corporations are nervous but if they're not stupid they pay out. It's Microsoft, so it's perhaps nof the most progressive when it comes to these things, so who knows if they've realized it.
To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
Read the write up on YellowKey. [1] It sounds like, in at least some instances, he's publishing official Microsoft backdoors probably used by US intelligence agencies et al. It turns out that Bitlocker is insecure and backdoored. Something noooobody expected after TrueCrypt just mysteriously and suddenly shut their doors one day, removed all downloads, and recommended everybody move to Microsoft's BitLocker. lol.
[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...