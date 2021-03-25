Arthur T Knackerbracket has processed the following story:
A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation.
Senior principal vulnerability analyst Will Dormann said last week he contacted Microsoft Security Response Center (MSRC) with a clear description of the bug and supporting screenshots, only to be told that his report wouldn't be looked at without a video.
MSRC told Dormann: "As requested, please provide clear video POC (proof of concept) on how the said vulnerability is being exploited? We are unable to make any progress without that. It will be highly appreciated."
Frustrated with Microsoft's demand, which Dormann said would only show him typing commands that were already depicted in the screenshots, and hitting Enter in CMD, the analyst created a video laden with malicious compliance.
The video is 15 minutes long and at the four-second mark flashes a screenshot from Zoolander, in which the protagonist unveils the "Center for Kids Who Can't Read Good."
It also features a punchy techno backing track while wasting the reviewer's time with approximately 14 minutes of inactivity.
Dormann said via Mastodon: "I get that people doing grunt work have mostly fixed workflows that they go through with common next steps.
"But to request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?"
To top it all off, when trying to submit the video via Microsoft's portal, the upload failed due to a 403 error.
[...] We also asked Dormann for additional input. He said requests for video can be found on other platforms such as HackerOne and Bugcrowd but in his opinion, requiring one signals to researchers that the reviewer is merely following a process rather than understanding the report itself.
As the post and video suggest, he was unimpressed by MSRC's refusal to proceed with the vulnerability report just because a video wasn't submitted in tandem.
"If a researcher is going out of their way to be nice to vendors and writing up vulnerability reports to share with them, the least the vendor could do is at least pretend to be taking it seriously," said Dormann.
"I reported three related but different vulnerabilities to Microsoft recently. Two of them requested video evidence of exploitation (for things that don't even make sense to have a video of, thus my malicious compliance example that I posted), and the third was rejected as not a vulnerability with clear evidence that the MSRC handler didn't bother actually reading what I submitted. Researchers doing the 'right thing' deserve better."
(Score: 2) by looorg on Saturday March 22, @04:57PM
I guess they don't want you to submit bug reports then. It's so tedious. After all if you know about it you have, or at least have to try, to fix them. In that regard this is a great way of claiming your products are bug free. No, proper, reports of bugs have been filed. Hench we are bug free. Problem solved.
Still this seems like an excellent source of rick-rollin or having people stare deep into the goatse. Oh you want video evidence ... suure... here you go ... I wouldn't expect to get any bug bounties after that but still, it might be worth it.
It's either that or perhaps some black screen with the flashing text "READ THE FUCKING REPORT BIATCH!" accompanied by some super annoying, or catchy, techno drum track. Looping for as long as is inappropriate. It seems like he went for a version of this one.