Attacking the messenger is an age-old trend in the bug reporting arena.
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.
You don't even need to find a whole 0day, you can find step 3 of 14.
Just dump it anon or sell it, don't even try to claim a bounty or get a cve. Without elaborating, they will make sure you regret it
Same goes for games. If you find RCE, report it and move on. If it remains unfixed let a journalist know. Do NOT accept their invite to the studio, they want to have you arrested. Would have happened to me were it not for one dude with a conscience at the company warning me not to go
Do you have any evidence this is actually happening to good faith security researchers?
There are many examples of Microsoft and other large corporations treating security researchers well. Microsoft hosts BlueHat, where they invite external parties to talk about their findings. They thank researchers monthly who do contribute reports to MSRC. As I recall, they treated bunnie well, and I think they also treated “hoodie” (the original Xbox 360 hacker) well as well.
If you find a real iOS zero day that you think has a market value of 2 million, how do you (a) find a legit buyer for it, and (b) ensure you get paid, presumably in your own choice of cryptocurrency?
Even if you dont count obvious dark markets there is plenty of well known companies mostly from Israel buying exploits.
You can even reach them via Linkedin and even demonstrate and sell in person with all paperwork. No risk here because they will re-sell them for much more.
Having it both fully anonymous, safe and in crypto will be harder. You need to have a trusted friend with right connections in industry not to get scammed.
no, I'm making the rhetorical point that the sort of persons that might have 2 million laying around to pay for an iOS zero day for blackhat type purposes might not be the most honorable or likely to actually pay you. And what recourse would you have?
This depends on what you consider black hat. Israeli company that sells surveillance malware to dictatorships around the globe isnt exactly moral, but its legal business.
Unlike Apple or Microsoft buying and selling exploits is their only source of income so they have no motivation not to pay. Reputation is much more important. Also legal system does work in Israel.
I am really somehow happy about this feud as it really demasks Microsoft. The signal Microsoft sends to their costumers (also corporate and government) is IMHO as disasterous as it is to security researchers.
Microsoft has the backing of many governments, and has access to the best legal teams possible, leaving this guy in a world of hurt.
Microsoft seems to have brought this on themselves by creating a complex and user-hostile bug reporting system. It seems to me that they could have offered this person a job or a contract, because Eclipse has been amazingly effective at uncovering high-severity exploits.
Also, Eclipse could have approached various governments offering the exploits for sale, because a lucrative market exists for such things, assuming they aren't already in the NSA portfolio. Lots of above-board companies do the same thing.
Quotes in this article blame Eclipse for the damage, but the blame should really rest with Microsoft. Eclipse is apparently just one person using an AI framework. Microsoft has vastly more resources to discover and fix problems with their products, but they never seem to do it themselves.