And based on the earlier concept by Walter Lippmann, first expressed in his 1922 book Public Opinion, which arguably birthed 20th century putatively impartial professional journalism.
Or they could’ve kept their bounty program running smoothly. But instead they pissed off another security researcher and received a zero days heads-up before public disclosure.
There is no excuse. GitHub runs a great program on HackerOne and it should just have been submitted there.
Also note that the person who found this was pissed because they had a difficult experience with submitting a bug for VSCode THREE YEARS AGO through MSRC which is _completely different_ than the GitHub H1 program and no doubt much more challenging with a different experience.
There is really no excuse for this irresponsible disclosure. They could have at least tried instead of holding a grudge for three years.
Just for context, that 2023 bug was initially reported to GitHub's HackerOne program and they explicitly told me it was out of scope for them and to take it to MSRC:
> We have reviewed the report and determined that the vulnerabilities is in VS code and the fix will be implemented by Microsoft. As a result, it is not eligible for reward under the Bug Bounty program. Please follow-up with Microsoft via the report you submitted.
There was also an additional bug that allowed an attacker to exfiltrate private repo contents with a github.dev link that MSRC also marked as not having security impact.
I absolutely loved working with GitHub folks on the GitHub bug bounty program, they're responsive, go into technical details with you and are awesome to deal with. MSRC is like the polar opposite of that.
Tracking people individually and selling that data is so profitable that even with the hardened security the financial incentive is significant, so maybe we should also add fines and other forms of costs to the other side of the equation as well.
Yep. Scummy, even for Microsoft. Too bad their EULA blocks class action.
They were selling it until October 2021, so it's not some ancient system. By building a time bomb into it, they misrepresented what was effectively a $50/year subscription as if it were a $229 purchase. Should be a slam dunk case, but it won't be.
I don't think this can be the case given that the program will keep working in reduced functionality mode. This wouldn't be possible in the situation you describe.
In Honda vehicles, you can turn it off but then it will show a permanent warning on your dash saying your spying settings are off and keeps bugging you as if you’re out of fuel.
I would say the same applies to background processing as well. A random app that I don’t interact with launching every minute and wasting everything from battery to network bandwidth is simply not acceptable, and most of the time they’re loading adds or doing some other stuff that serves me no good.
I wish I could set this as the user. Apple ties background app refresh to the frequency of use, but that sucks for self-hosted photo backups. I use Immich and I don't open it too often, so Apple breaks my chosen backup system for my photos.
Manufacturing Consent: The Political Economy of the Mass Media by Edward S. Herman and Noam Chomsky
reply