The document expresses frustration from a researcher regarding the Microsoft Security Response Center (MSRC) and its handling of reported vulnerabilities, citing a lack of communication, slow responses, and perceived incompetence. The researcher shares experiences of feeling ignored after multiple attempts to seek updates on their reports and expresses disappointment in not receiving proper credit or support. Additionally, there are strong emotions exhibited towards the overall process and the performance of MSRC staff.

1. MSRC Listens BlueHat v18

2. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.

3. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave

4. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave now.

5. WARNING
The following presentation contains exploits, true stories, rampant
honesty and integrity combined with radical transparency and attempts
to save the world. As such, it may contain mature language, trigger
content, and other items which may cause discomfort in the viewer.
You are welcome to leave now.
You have been warned.

6. stop this criminal insanity
bestially demented psychopaths
an unidentifiable MS Support person, containing more
nonsensical, inept and empty words proving that only an
irresponsible mentally retarded semiliterate saboteur, an
intellectually challenged semiliterate and/or a
communicationally challenged semiliterate can write such
nonsensical, inept and empty words
kinda shady
Can I have an update on MSRC Case XXXXX please? It's severe vulnerability
with easy temporary fix, but no updates/fix after 5 months
I'm totally disappointed in MSRC. It seems that they
can not understand my PoC nor make any
reasonable conclusion:(
May I know the status of my bug report XXXXX
So that I could disclose it public if it's fixed
why are you repeatedly ignoring my emails asking
to confirm which CVE fixes which case/s I reported…
I thought we liked each other, but now you're
giving me a silent treatment. Should I disclose issues
without fix confirmation?
any updates about this case XXXXX for four months and I got no
reply about the bounty. Please check it ASAP.
why is there no response to my e-mail?
:( why is this keep happening to my reports?
The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism
nice to see MSRC didn't credit me though :/
Asked MSRC to look into
the fact that MSFT
installers are easily
pwned by DLLs planted
by Edge in Downloads.
Their response?
¯_(ツ)_/¯
Wonder what they
would consider "a
real lead", if this
isn't one. :-/”
I meant that somebody needs to audit MSRC. Somebody up
there at Microsoft with a bit of blood in her veins.
What is the maximum
queue time for a report
in MSRC to be forwarded
to the Bounty team?
MSRC still sucks xxx. XXXX this place
MSRC is dead
robots
My friend it's been a long time since you reported the security
clearance. You have not answered yet. I do not have time to wait
for you anymore. I explained the security issue. I will never report
security incidents again! You work very slowly. I’m xxxxxxx your
mother in your friend who confirmed the report! XXXX off!
Close the report. XXXX you report and your friend and your mom!

7. MSRC LISTENS | BLUEHAT V18
Mechele Gruhn
Principal Security PM Manager
MSRC Vulnerability Response
@M3CH3L3
Kymberlee Price
Principal Security PM Manager
MSRC Community Programs
@Kym_Possible

9. secure@microsoft.com
Coordinated Vulnerability Disclosure
Bounty
Security Update Guide
Researcher Top 100
BlueHat
Cyber Defense Operations Center
Microsoft Security Response Center
Our mission is to protect customers from
being harmed through security
vulnerabilities in Microsoft's offerings
and rapidly repulse attacks against the
Microsoft Cloud's cloud offerings
@msftsecresponse
Microsoft Active Protection Program
GSPSSIRP

12. Global CVEs by Year
(Candidate and Entry, MITRE.ORG)

14. Typical CVE release guidance
1 Article
KB KB
1 CVE
1 Ack
Normal security update guidance

15. Update guidance for speculative execution side-channel attacks
1 Advisory
ADV180002
KB
CVE-2017-5753 CVE-2017-5754CVE-2017-5715
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
Blog Blog Blog Blog Blog Blog Blog Blog
Blog Blog Blog Blog Blog Blog Blog Blog
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack

16. Update guidance for speculative execution side-channel attacks
1 Advisory
ADV180002
KB
CVE-2017-5753 CVE-2017-5754CVE-2017-5715
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
KB
Blog Blog Blog Blog Blog Blog Blog Blog
Blog Blog Blog Blog Blog Blog Blog Blog
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack
Ack

18. vulnerability (noun)
ˌvəl-n(ə-)rə-ˈbi-lə-tē
: a security exposure that results from a
product weakness that the product
developer did not intend to introduce
and should fix once it is discovered
Microsoft Security Response Center

19. Sent to
secure@
Confirmation
that secure@
received it
Confirmation
of repro
Fix is
developed
Update
guidance
released
Bounty
payment
received
Coordinated
Vulnerability
Disclosure

20. Sent to
secure@
Confirmation
that secure@
received it
Confirmation
of repro
Fix is
developed
Update
guidance
released
Bounty
payment
received
Coordinated
Vulnerability
Disclosure

22. LISTEN (verb)
ˈli-sᵊn
: to hear something with thoughtful
attention
: give consideration
Miriam-Webster

23. Community
Tooling
Bounty
Process
Listening
Product
Engineering
People

24. Community
We’relistening

25. <Researcher Top 100 graphic>

26. External representation in the community

27. Bounty
We’relistening

28. Tooling
We’relistening

29. nice to see MSRC didn't credit me though :/

30. CVRF API

31. We could not have
done the release
on January 3 with
the software and
tooling that we
had in place
in January
of 2016.

32. Watch this space

33. D E S I G N R E V I E WS T E P H A N I E . B A T T E R S H E L L / H U I . L I U ( D A I S Y )
Vulnerability Report
Abuse Report
Azure Pentest
Notification
Online Services Researcher
Acknowledgments
Report an issue

34. Product
Engineering
We’relistening

35. Process
We’relistening

36. Repeatable, transparent process

37. People
We’relistening

39. stop this criminal insanity
bestially demented psychopaths
an unidentifiable MS Support person, containing more
nonsensical, inept and empty words proving that only an
irresponsible mentally retarded semiliterate saboteur, an
intellectually challenged semiliterate and/or a
communicationally challenged semiliterate can write such
nonsensical, inept and empty words
kinda shady
Can I have an update on MSRC Case XXXXX please? It's severe vulnerability
with easy temporary fix, but no updates/fix after 5 months
I'm totally disappointed in MSRC. It seems that they
can not understand my PoC nor make any
reasonable conclusion:(
May I know the status of my bug report XXXXX
So that I could disclose it public if it's fixed
why are you repeatedly ignoring my emails asking
to confirm which CVE fixes which case/s I reported…
I thought we liked each other, but now you're
giving me a silent treatment. Should I disclose issues
without fix confirmation?
any updates about this case XXXXX for four months and I got no
reply about the bounty. Please check it ASAP.
why is there no response to my e-mail?
:( why is this keep happening to my reports?
The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism
nice to see MSRC didn't credit me though :/
Asked MSRC to look into
the fact that MSFT
installers are easily
pwned by DLLs planted
by Edge in Downloads.
Their response?
¯_(ツ)_/¯
Wonder what they
would consider "a
real lead", if this
isn't one. :-/”
I meant that somebody needs to audit MSRC. Somebody up
there at Microsoft with a bit of blood in her veins.
What is the maximum
queue time for a report
in MSRC to be forwarded
to the Bounty team?
MSRC still sucks ass. Fuck this place
MSRC is dead
robots
My friend it's been a long time since you reported the security
clearance. You have not answered yet. I do not have time to wait
for you anymore. I explained the security issue. I will never report
security incidents again! You work very slowly. I'm fucking your
mother in your friend who confirmed the report! Fuck off!
Close the report. Fuck you report and your friend and your mom!

41. MSRC Listens BlueHat v18

42. Thank you