Researchers normally submit such findings to the Microsoft Security Response Center (MSRC) for patching to prevent hackers from exploiting them. But Nightmare Eclipse has deliberately ignored the responsible disclosure route, citing claims that Microsoft mistreated them.
“They mopped the floor with me and pulled every childish game they could,” the researcher wrote last month, without elaborating. “It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
Seriously, that’s is the actual alternative. It’s not theoretical - people are definitely buying (and they pay better).
Has Microsoft forgotten why they do these bug bounties? This is why. Because if they don’t pay, other people will. They’re actively turning the white hats into grey and black hats, selling to intelligence agencies and criminals instead of responsible disclosing.
This is on them.
Unfortunately Micro$lop only hires inexperienced vibecoders.