Perhaps but it also increases the probability that a possible security issue gets exploited. I suspect the author just wants publicity first. Ego talks.
You get better security back for all the Windows machines that are in your local network, the ones that your customers use or the Windows/Azure servers you use for your day to day business.
If you dump it online way more people start looking at it. They might be able to turn it into a reliable exploit leaving you, your customers and your servers at risk.
But the last thing HN needs is another debate on the pro's and cons of full disclosure; that's been done to death in the past decade all over the web :)
OK, conversely, you're saying that you should do the wrong thing (as in this case), if there is no financial incentive?
Given you aren't going to get a reward either way, why not do the right thing?
Frankly, I can't believe I need to discuss the morality of this. Is it not obvious?
And yes yes, I realise this is probably a case of Hanlon's Razor, not a moral failing, but justifying it on the grounds of there being no reward is crazy.
This case is not 'the wrong thing'. The wrong thing is selling this data to criminals, or not publishing it at all because odds are someone else is going to find it eventually.
What you're calling "the right thing" isn't zero cost. It takes a fair bit of time (spaced out over a period of months, by the way, so it's not a fire and forget it report) to report a vulnerability to microsoft and follow up with their security team. More so if your vuln is at all interesting or complex. You may have to write PoCs. Your vulnerability will be patched in 4-6 months (not exaggerating, although this will obviously be quicker if it's made the news somehow), and you'll get a minute credit in their patch tuesday notes.
So no, the morality of this is not obvious. Where is my moral obligation to effectively do charity work for a megacorp that can't be bothered to keep up with industry standards in security?
Well, I was just trying to guess their reasoning. I'd have no problem doing The Right Thing™, but I'm nowhere skilled enough to find a vulnerability anyway.
As it stands I don't think there is much harm done because it's a local vulnerability, crashing a user-mode process. Annoying, maybe, but my graphics driver has a far worse track record as far as bluescreens are concerned.
I wonder how easy it is to actually contact Microsoft on matters like this? It would probably take hours upon hours of searching convoluted corporate websites just to get an e-mail address or phone number to contact. Just slamming it on the web and posting on hacker news will take less time and is sure to reach Microsoft's attention quickly :) Sure, it's not responsible but not everyone is.
I wonder how easy it is to actually contact Microsoft on matters like this? It would probably take hours upon hours of searching convoluted corporate websites just to get an e-mail address or phone number to contact.
You could go to microsoft.com and type "report a security vulnerability" into the search box. Then click the first result.
Well that was easy. It even worked on the internationalized version in my native language, which is not common with corporate websites. But that's just the first step, anyway.
Pretty easy; you just email secure@microsoft.com (there are PGP or S/MIME keys available too) and you generally receive a response in a maximum of 48 hours. In most cases you get a reply within a few hours stating that you've passed their spamfilters, that they've done an initial overview of your report and that they will start looking into it.
