Poll: how much is source code for older, private fuzzers worth? The kind that doesn't find any new bugs anymore but could be build upon and/or reviewed for inspiration to write new fuzzers.
-
-
Maybe you'd like me to add a fifth option: an MSRC shirt and a beer at a conference?
-
sixth option: thanks page. Wait, it already exists and I've learnt a lot from public sources. Don't give me the thanks. It's my must to report it for free :p
End of conversation
New conversation -
-
-
Didn't mean to suggest that, I do however worry about the trend of less information being shared. I'm fairly new at Microsoft and not in MSRC, hopefully I'm not accountable for past sins. Either way drinks are definitely on me.
-
Selling information has allowed people like me to turn a hobby into a full-time profession. The benefit to everyone of having people work full-time on securing software far outways the loss we suffered as a community. I do miss the old days of sharing 0day on full-disclosure@ tho
-
... so if you can convince the Edge team to sponsor it, I'd be very happy for you guys to buy the fuzzers and publish them!
End of conversation
New conversation -
-
-
The original bug bounty programs I launched had no NDA. Sad times.
-
You were probably under the employee/former employee NDA. Sad times.
-
No, if you want to be eligible for a bug bounty, you cannot give Microsoft *any* deadline for a fix. This effectively means in order to participate, you have to allow Microsoft to potentially never fix a security issue and stay quiet about it. This is not acceptable to me.
-
Oh no. That wasn't there when I left, I'm so sorry it's become so legally restrictive.

-
It's not explicitly stated in any of the documents available online; it's their interpretation of Coordinated Vulnerability Disclosure (CVD). One of these days I really, really should blog about what happened in the months leading up to
@InfiltrateCon last year. -
Looking forward to reading this blog post!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.