SlideShare a Scribd company logo

BlueHat v18 || MSRC listens

BlueHat Security Conference
BlueHat Security Conference

Mechele Gruhn, Microsoft Are you perfect? We aren't. But we are trying to be better. Please join us as we share the good, the bad, and the ugly stories of success and failure from the last crazy year, how we plan to improve in the next year, and how you can help. This session will be targeted at BlueHat attendees both external and internal to Microsoft who interact with the Microsoft Security Response Center for resolution of vulnerabilities as part of coordinated vulnerability disclosure and will share lessons learned from the past as well as a look forward to the future.

Technology
1 of 43
Download to read offline
MSRC Listens BlueHat v18
WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer.
WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave
WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave now.
WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave now. You have been warned.
stop this criminal insanity bestially demented psychopaths an unidentifiable MS Support person, containing more nonsensical, inept and empty words proving that only an irresponsible mentally retarded semiliterate saboteur, an intellectually challenged semiliterate and/or a communicationally challenged semiliterate can write such nonsensical, inept and empty words kinda shady Can I have an update on MSRC Case XXXXX please? It's severe vulnerability with easy temporary fix, but no updates/fix after 5 months I'm totally disappointed in MSRC. It seems that they can not understand my PoC nor make any reasonable conclusion:( May I know the status of my bug report XXXXX So that I could disclose it public if it's fixed why are you repeatedly ignoring my emails asking to confirm which CVE fixes which case/s I reported… I thought we liked each other, but now you're giving me a silent treatment. Should I disclose issues without fix confirmation? any updates about this case XXXXX for four months and I got no reply about the bounty. Please check it ASAP. why is there no response to my e-mail? :( why is this keep happening to my reports? The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism nice to see MSRC didn't credit me though :/ Asked MSRC to look into the fact that MSFT installers are easily pwned by DLLs planted by Edge in Downloads. Their response? ¯_(ツ)_/¯ Wonder what they would consider "a real lead", if this isn't one. :-/” I meant that somebody needs to audit MSRC. Somebody up there at Microsoft with a bit of blood in her veins. What is the maximum queue time for a report in MSRC to be forwarded to the Bounty team? MSRC still sucks xxx. XXXX this place MSRC is dead robots My friend it's been a long time since you reported the security clearance. You have not answered yet. I do not have time to wait for you anymore. I explained the security issue. I will never report security incidents again! You work very slowly. I’m xxxxxxx your mother in your friend who confirmed the report! XXXX off! Close the report. XXXX you report and your friend and your mom!
MSRC LISTENS | BLUEHAT V18 Mechele Gruhn Principal Security PM Manager MSRC Vulnerability Response @M3CH3L3 Kymberlee Price Principal Security PM Manager MSRC Community Programs @Kym_Possible
secure@microsoft.com Coordinated Vulnerability Disclosure Bounty Security Update Guide Researcher Top 100 BlueHat Cyber Defense Operations Center Microsoft Security Response Center Our mission is to protect customers from being harmed through security vulnerabilities in Microsoft's offerings and rapidly repulse attacks against the Microsoft Cloud's cloud offerings @msftsecresponse Microsoft Active Protection Program GSPSSIRP
Global CVEs by Year (Candidate and Entry, MITRE.ORG)
Typical CVE release guidance 1 Article KB KB 1 CVE 1 Ack Normal security update guidance
Update guidance for speculative execution side-channel attacks 1 Advisory ADV180002 KB CVE-2017-5753 CVE-2017-5754CVE-2017-5715 KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack
Update guidance for speculative execution side-channel attacks 1 Advisory ADV180002 KB CVE-2017-5753 CVE-2017-5754CVE-2017-5715 KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack
vulnerability (noun) ˌvəl-n(ə-)rə-ˈbi-lə-tē : a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered Microsoft Security Response Center
Sent to secure@ Confirmation that secure@ received it Confirmation of repro Fix is developed Update guidance released Bounty payment received Coordinated Vulnerability Disclosure
Sent to secure@ Confirmation that secure@ received it Confirmation of repro Fix is developed Update guidance released Bounty payment received Coordinated Vulnerability Disclosure
LISTEN (verb) ˈli-sᵊn : to hear something with thoughtful attention : give consideration Miriam-Webster
Community Tooling Bounty Process Listening Product Engineering People
Community We’relistening
<Researcher Top 100 graphic>
External representation in the community
Bounty We’relistening
Tooling We’relistening
nice to see MSRC didn't credit me though :/
CVRF API
We could not have done the release on January 3 with the software and tooling that we had in place in January of 2016.
Watch this space
D E S I G N R E V I E WS T E P H A N I E . B A T T E R S H E L L / H U I . L I U ( D A I S Y ) Vulnerability Report Abuse Report Azure Pentest Notification Online Services Researcher Acknowledgments Report an issue
Product Engineering We’relistening
Process We’relistening
Repeatable, transparent process
People We’relistening
stop this criminal insanity bestially demented psychopaths an unidentifiable MS Support person, containing more nonsensical, inept and empty words proving that only an irresponsible mentally retarded semiliterate saboteur, an intellectually challenged semiliterate and/or a communicationally challenged semiliterate can write such nonsensical, inept and empty words kinda shady Can I have an update on MSRC Case XXXXX please? It's severe vulnerability with easy temporary fix, but no updates/fix after 5 months I'm totally disappointed in MSRC. It seems that they can not understand my PoC nor make any reasonable conclusion:( May I know the status of my bug report XXXXX So that I could disclose it public if it's fixed why are you repeatedly ignoring my emails asking to confirm which CVE fixes which case/s I reported… I thought we liked each other, but now you're giving me a silent treatment. Should I disclose issues without fix confirmation? any updates about this case XXXXX for four months and I got no reply about the bounty. Please check it ASAP. why is there no response to my e-mail? :( why is this keep happening to my reports? The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism nice to see MSRC didn't credit me though :/ Asked MSRC to look into the fact that MSFT installers are easily pwned by DLLs planted by Edge in Downloads. Their response? ¯_(ツ)_/¯ Wonder what they would consider "a real lead", if this isn't one. :-/” I meant that somebody needs to audit MSRC. Somebody up there at Microsoft with a bit of blood in her veins. What is the maximum queue time for a report in MSRC to be forwarded to the Bounty team? MSRC still sucks ass. Fuck this place MSRC is dead robots My friend it's been a long time since you reported the security clearance. You have not answered yet. I do not have time to wait for you anymore. I explained the security issue. I will never report security incidents again! You work very slowly. I'm fucking your mother in your friend who confirmed the report! Fuck off! Close the report. Fuck you report and your friend and your mom!
MSRC Listens BlueHat v18
Thank you
BlueHat v18 || MSRC listens

Recommended

Phishing101
Phishing101Phishing101
Phishing101Bitdefender
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkE Hacking
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Energy Conservation Essay In Hindi
Energy Conservation Essay In HindiEnergy Conservation Essay In Hindi
Energy Conservation Essay In HindiJessica Edwards
 
Child Obesity Research Paper Example Topics An
Child Obesity Research Paper Example Topics AnChild Obesity Research Paper Example Topics An
Child Obesity Research Paper Example Topics AnKristin Oliver
 
Racism Today Essay.pdf
Racism Today Essay.pdfRacism Today Essay.pdf
Racism Today Essay.pdfJenny Jones
 

Recommended

Phishing101
Phishing101Phishing101
Phishing101Bitdefender
 
Stalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkStalking a City for Fun and Frivolity" Defcon Talk
Stalking a City for Fun and Frivolity" Defcon TalkE Hacking
 
Practical exploitation and social engineering
Practical exploitation and social engineeringPractical exploitation and social engineering
Practical exploitation and social engineeringTiago Henriques
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofoursjennyevans555
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Energy Conservation Essay In Hindi
Energy Conservation Essay In HindiEnergy Conservation Essay In Hindi
Energy Conservation Essay In HindiJessica Edwards
 
Child Obesity Research Paper Example Topics An
Child Obesity Research Paper Example Topics AnChild Obesity Research Paper Example Topics An
Child Obesity Research Paper Example Topics AnKristin Oliver
 
Racism Today Essay.pdf
Racism Today Essay.pdfRacism Today Essay.pdf
Racism Today Essay.pdfJenny Jones
 
Racism Today Essay
Racism Today EssayRacism Today Essay
Racism Today EssayJessica Navarro
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Kate Brew
 
PPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint PresentatPPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint PresentatAshley Davis
 
Essays Mission Vision Values
Essays Mission Vision ValuesEssays Mission Vision Values
Essays Mission Vision ValuesEmily Garcia
 
How To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory ParagrapHow To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory ParagrapElizabeth Allen
 
CCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing SessionCCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing SessionLora Aroyo
 
Short Essay On Spirit Of Success
Short Essay On Spirit Of SuccessShort Essay On Spirit Of Success
Short Essay On Spirit Of SuccessAndrea Warner
 
Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.Jennifer Subhedar
 
The Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should StarThe Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should StarKim Johnson
 
Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.Amy Colantuoni
 
Wanted
WantedWanted
Wantedhokewilcox
 
Essay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social IllsEssay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social IllsLilian Gerlin
 
7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - Globa7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - GlobaNicolle Dammann
 
Narrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpTNarrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpTCourtney Bennett
 
Write A Research Paper Writing
Write A Research Paper WritingWrite A Research Paper Writing
Write A Research Paper WritingMelanie Smith
 
The Internet of People: A Call to Arms
The Internet of People: A Call to ArmsThe Internet of People: A Call to Arms
The Internet of People: A Call to Armsavi-bar-zeev
 
America The Beautiful Essay Examples
America The Beautiful Essay ExamplesAmerica The Beautiful Essay Examples
America The Beautiful Essay ExamplesMichelle Montoya
 
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 

More Related Content

Similar to BlueHat v18 || MSRC listens

The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillFrode Hommedal
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Kate Brew
 
PPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint PresentatPPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint PresentatAshley Davis
 
Essays Mission Vision Values
Essays Mission Vision ValuesEssays Mission Vision Values
Essays Mission Vision ValuesEmily Garcia
 
How To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory ParagrapHow To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory ParagrapElizabeth Allen
 
CCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing SessionCCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing SessionLora Aroyo
 
Short Essay On Spirit Of Success
Short Essay On Spirit Of SuccessShort Essay On Spirit Of Success
Short Essay On Spirit Of SuccessAndrea Warner
 
Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.Jennifer Subhedar
 
The Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should StarThe Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should StarKim Johnson
 
Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.Amy Colantuoni
 
Essay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social IllsEssay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social IllsLilian Gerlin
 
7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - Globa7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - GlobaNicolle Dammann
 
Narrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpTNarrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpTCourtney Bennett
 
Write A Research Paper Writing
Write A Research Paper WritingWrite A Research Paper Writing
Write A Research Paper WritingMelanie Smith
 
The Internet of People: A Call to Arms
The Internet of People: A Call to ArmsThe Internet of People: A Call to Arms
The Internet of People: A Call to Armsavi-bar-zeev
 
America The Beautiful Essay Examples
America The Beautiful Essay ExamplesAmerica The Beautiful Essay Examples
America The Beautiful Essay ExamplesMichelle Montoya
 

Similar to BlueHat v18 || MSRC listens (18)

Racism Today Essay
Racism Today EssayRacism Today Essay
Racism Today Essay
 
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pillThe Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
The Cyber Threat Intelligence Matrix: Taking the attacker eviction red pill
 
Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl" Blue team responses to people who "hack like a girl"
Blue team responses to people who "hack like a girl"
 
PPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint PresentatPPT - Top Essay Writing Companies PowerPoint Presentat
PPT - Top Essay Writing Companies PowerPoint Presentat
 
Essays Mission Vision Values
Essays Mission Vision ValuesEssays Mission Vision Values
Essays Mission Vision Values
 
How To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory ParagrapHow To Write An Intro For An Essay Generator - Introductory Paragrap
How To Write An Intro For An Essay Generator - Introductory Paragrap
 
CCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing SessionCCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
CCCT University of Amsterdam Seminars 2013: Crowdsourcing Session
 
Short Essay On Spirit Of Success
Short Essay On Spirit Of SuccessShort Essay On Spirit Of Success
Short Essay On Spirit Of Success
 
Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.Video Games Essay Writing. Online assignment writing service.
Video Games Essay Writing. Online assignment writing service.
 
The Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should StarThe Art Of Writing Letters (And Why You Should Star
The Art Of Writing Letters (And Why You Should Star
 
Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.Hamburger Essay Outline Template. Online assignment writing service.
Hamburger Essay Outline Template. Online assignment writing service.
 
Wanted
WantedWanted
Wanted
 
Essay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social IllsEssay Ict Is The Cause Of TodayS Many Social Ills
Essay Ict Is The Cause Of TodayS Many Social Ills
 
7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - Globa7 Steps To Writing A Winning Scholarship Essay - Globa
7 Steps To Writing A Winning Scholarship Essay - Globa
 
Narrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpTNarrative Writing PowerPoint By Megan Holding TpT
Narrative Writing PowerPoint By Megan Holding TpT
 
Write A Research Paper Writing
Write A Research Paper WritingWrite A Research Paper Writing
Write A Research Paper Writing
 
The Internet of People: A Call to Arms
The Internet of People: A Call to ArmsThe Internet of People: A Call to Arms
The Internet of People: A Call to Arms
 
America The Beautiful Essay Examples
America The Beautiful Essay ExamplesAmerica The Beautiful Essay Examples
America The Beautiful Essay Examples
 

More from BlueHat Security Conference

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Security Conference
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Security Conference
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Security Conference
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Security Conference
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Security Conference
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Security Conference
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Security Conference
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Security Conference
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Security Conference
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Security Conference
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Security Conference
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat Security Conference
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat Security Conference
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat Security Conference
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat Security Conference
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 

More from BlueHat Security Conference (20)

BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
BlueHat Seattle 2019 || The cake is a lie! Uncovering the secret world of mal...
 
BlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || KeynoteBlueHat Seattle 2019 || Keynote
BlueHat Seattle 2019 || Keynote
 
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One StoryBlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
 
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and DefenseBlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
BlueHat Seattle 2019 || Kubernetes Practical Attack and Defense
 
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come aloneBlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
BlueHat Seattle 2019 || Open Source Security, vulnerabilities never come alone
 
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILsBlueHat Seattle 2019 || Modern Binary Analysis with ILs
BlueHat Seattle 2019 || Modern Binary Analysis with ILs
 
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR InvestigationsBlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
BlueHat Seattle 2019 || Autopsies of Recent DFIR Investigations
 
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
BlueHat Seattle 2019 || The good, the bad & the ugly of ML based approaches f...
 
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
BlueHat Seattle 2019 || Are We There Yet: Why Does Application Security Take ...
 
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
BlueHat Seattle 2019 || Building Secure Machine Learning Pipelines: Security ...
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
 
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzingBlueHat v18 || WSL reloaded - Let's try to do better fuzzing
BlueHat v18 || WSL reloaded - Let's try to do better fuzzing
 
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxyBlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
BlueHat v18 || The hitchhiker's guide to north korea's malware galaxy
 
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windowsBlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
BlueHat v18 || Retpoline - the anti-spectre (type 2) mitigation in windows
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without device
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

BlueHat v18 || MSRC listens

  • 2. WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer.
  • 3. WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave
  • 4. WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave now.
  • 5. WARNING The following presentation contains exploits, true stories, rampant honesty and integrity combined with radical transparency and attempts to save the world. As such, it may contain mature language, trigger content, and other items which may cause discomfort in the viewer. You are welcome to leave now. You have been warned.
  • 6. stop this criminal insanity bestially demented psychopaths an unidentifiable MS Support person, containing more nonsensical, inept and empty words proving that only an irresponsible mentally retarded semiliterate saboteur, an intellectually challenged semiliterate and/or a communicationally challenged semiliterate can write such nonsensical, inept and empty words kinda shady Can I have an update on MSRC Case XXXXX please? It's severe vulnerability with easy temporary fix, but no updates/fix after 5 months I'm totally disappointed in MSRC. It seems that they can not understand my PoC nor make any reasonable conclusion:( May I know the status of my bug report XXXXX So that I could disclose it public if it's fixed why are you repeatedly ignoring my emails asking to confirm which CVE fixes which case/s I reported… I thought we liked each other, but now you're giving me a silent treatment. Should I disclose issues without fix confirmation? any updates about this case XXXXX for four months and I got no reply about the bounty. Please check it ASAP. why is there no response to my e-mail? :( why is this keep happening to my reports? The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism nice to see MSRC didn't credit me though :/ Asked MSRC to look into the fact that MSFT installers are easily pwned by DLLs planted by Edge in Downloads. Their response? ¯_(ツ)_/¯ Wonder what they would consider "a real lead", if this isn't one. :-/” I meant that somebody needs to audit MSRC. Somebody up there at Microsoft with a bit of blood in her veins. What is the maximum queue time for a report in MSRC to be forwarded to the Bounty team? MSRC still sucks xxx. XXXX this place MSRC is dead robots My friend it's been a long time since you reported the security clearance. You have not answered yet. I do not have time to wait for you anymore. I explained the security issue. I will never report security incidents again! You work very slowly. I’m xxxxxxx your mother in your friend who confirmed the report! XXXX off! Close the report. XXXX you report and your friend and your mom!
  • 7. MSRC LISTENS | BLUEHAT V18 Mechele Gruhn Principal Security PM Manager MSRC Vulnerability Response @M3CH3L3 Kymberlee Price Principal Security PM Manager MSRC Community Programs @Kym_Possible
  • 8.
  • 9. secure@microsoft.com Coordinated Vulnerability Disclosure Bounty Security Update Guide Researcher Top 100 BlueHat Cyber Defense Operations Center Microsoft Security Response Center Our mission is to protect customers from being harmed through security vulnerabilities in Microsoft's offerings and rapidly repulse attacks against the Microsoft Cloud's cloud offerings @msftsecresponse Microsoft Active Protection Program GSPSSIRP
  • 10.
  • 11.
  • 12. Global CVEs by Year (Candidate and Entry, MITRE.ORG)
  • 13.
  • 14. Typical CVE release guidance 1 Article KB KB 1 CVE 1 Ack Normal security update guidance
  • 15. Update guidance for speculative execution side-channel attacks 1 Advisory ADV180002 KB CVE-2017-5753 CVE-2017-5754CVE-2017-5715 KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack
  • 16. Update guidance for speculative execution side-channel attacks 1 Advisory ADV180002 KB CVE-2017-5753 CVE-2017-5754CVE-2017-5715 KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB KB Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Blog Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack Ack
  • 17.
  • 18. vulnerability (noun) ˌvəl-n(ə-)rə-ˈbi-lə-tē : a security exposure that results from a product weakness that the product developer did not intend to introduce and should fix once it is discovered Microsoft Security Response Center
  • 19. Sent to secure@ Confirmation that secure@ received it Confirmation of repro Fix is developed Update guidance released Bounty payment received Coordinated Vulnerability Disclosure
  • 20. Sent to secure@ Confirmation that secure@ received it Confirmation of repro Fix is developed Update guidance released Bounty payment received Coordinated Vulnerability Disclosure
  • 21.
  • 22. LISTEN (verb) ˈli-sᵊn : to hear something with thoughtful attention : give consideration Miriam-Webster
  • 26. External representation in the community
  • 29. nice to see MSRC didn't credit me though :/
  • 31. We could not have done the release on January 3 with the software and tooling that we had in place in January of 2016.
  • 33. D E S I G N R E V I E WS T E P H A N I E . B A T T E R S H E L L / H U I . L I U ( D A I S Y ) Vulnerability Report Abuse Report Azure Pentest Notification Online Services Researcher Acknowledgments Report an issue
  • 38.
  • 39. stop this criminal insanity bestially demented psychopaths an unidentifiable MS Support person, containing more nonsensical, inept and empty words proving that only an irresponsible mentally retarded semiliterate saboteur, an intellectually challenged semiliterate and/or a communicationally challenged semiliterate can write such nonsensical, inept and empty words kinda shady Can I have an update on MSRC Case XXXXX please? It's severe vulnerability with easy temporary fix, but no updates/fix after 5 months I'm totally disappointed in MSRC. It seems that they can not understand my PoC nor make any reasonable conclusion:( May I know the status of my bug report XXXXX So that I could disclose it public if it's fixed why are you repeatedly ignoring my emails asking to confirm which CVE fixes which case/s I reported… I thought we liked each other, but now you're giving me a silent treatment. Should I disclose issues without fix confirmation? any updates about this case XXXXX for four months and I got no reply about the bounty. Please check it ASAP. why is there no response to my e-mail? :( why is this keep happening to my reports? The world is not simply black (Hacking Team) and white (MSRC); that type of thinking leads to totalitarianism nice to see MSRC didn't credit me though :/ Asked MSRC to look into the fact that MSFT installers are easily pwned by DLLs planted by Edge in Downloads. Their response? ¯_(ツ)_/¯ Wonder what they would consider "a real lead", if this isn't one. :-/” I meant that somebody needs to audit MSRC. Somebody up there at Microsoft with a bit of blood in her veins. What is the maximum queue time for a report in MSRC to be forwarded to the Bounty team? MSRC still sucks ass. Fuck this place MSRC is dead robots My friend it's been a long time since you reported the security clearance. You have not answered yet. I do not have time to wait for you anymore. I explained the security issue. I will never report security incidents again! You work very slowly. I'm fucking your mother in your friend who confirmed the report! Fuck off! Close the report. Fuck you report and your friend and your mom!
  • 40.