Microsoft’s PlayReady Drama: When Bug Bounties Meet Bugged Bounty Hunters
Adam Gowdiak’s research into Microsoft’s PlayReady technology exposed vulnerabilities that could allow unauthorized movie downloads. Despite his initial reluctance, Gowdiak eventually shared his findings with Microsoft without financial demands, spurring discussions on the limitations of bug bounty programs. His frustration highlights the need for alternative approaches in handling significant security research.
Hot Take:
Oh, Microsoft! When it comes to vulnerability disclosures, it seems like you’re playing a game of pawnshop poker. Instead of showing your cards and anteing up fairly, you’re leaving researchers like Adam Gowdiak to fold in frustration. Perhaps it’s time to rethink your bug bounty program before you become the topic of every security researcher’s stand-up comedy routine.
Key Points:
- Adam Gowdiak discovered vulnerabilities in Microsoft’s PlayReady technology, affecting major streaming platforms.
- Microsoft initially dismissed the findings as implementation issues, not tech vulnerabilities.
- Gowdiak sought a commercial agreement instead of using Microsoft’s bug bounty program.
- He eventually shared technical details with Microsoft and made some information public.
- The situation highlights the debate over bug bounty programs versus alternative disclosure methods.