No, it is not a security vulnerability that there is no certificate of appreciation for reporting a bug

Raymond Chen

We received a security vulnerability report asking for a certificate of appreciation.

Here’s how the story unfolds: The finder posted a screen shot on Twitter demonstrating a bug, and they @-mentioned the Windows Developer Twitter account. The Windows Developer account replied by apologizing for the inconvenience and asking them to submit the issue through the Feedback Hub app, so it will get reported to the engineering team.

The finder then submitted a security vulnerability report saying, “I reported a bug on Twitter, and I got a response from the relevant team. Can I have a certificate of appreciation for filing a bug?”

Answering the immediate question: No, there is no certificate of appreciation for filing a bug. The happy feeling of accomplishment is its own certificate.¹

But I have some notes.

The finder didn’t get a response from the relevant team, as they claimed. They @-mentioned the Windows Developer team. That team supports software developers on Windows. But this was not a software developer issue; this was an end-user issue. Their response was a polite version of “Sir, this is a Wendy’s.” But they did recommend the correct way to report the bug, which is to use the Feedback Hub app. When you submit an issue with the Feedback Hub app, it collects additional diagnostic information related to the category of issue you are reporting, so that the engineering team can investigate.² It also creates an entry in the database so the team can keep track of it. (Twitter posts are not a good defect tracking system.)

Furthermore, I don’t see any evidence that the finder followed the instructions and submitted a report via the Feedback Hub app. I couldn’t find a matching bug from that time frame. I guess they considered the reply from the Windows Developer account to be confirmation that the issue was received by the correct team and has been submitted for investigation.

So not only is the finder asking for an nonexistent certificate of appreciation, they didn’t even do the thing that would have merited a certificate of appreciation, had one existed.

As for submitting a security vulnerability report, the lack of a certificate of appreciation is not a security vulnerability, so it’s not clear why they’re contacting the Security Response Center. “Sir, this is another Wendy’s.”

¹ After you submit the issue in the Feedback Hub app, you get an acknowledgement screen that has a picture of the Windows Community Champions team holding a thank-you sign. You could screen shot that and print it out as your certificate of appreciation, I guess. But the finder doesn’t appear to have gotten that far, so they never saw this “certificate opportunity”.

² Sometimes, users select the wrong category, like reporting a “Taskbar not responding” issue under the “Bluetooth” category,³ and the Taskbar team gets a bug report with a lot of Bluetooth logs in it. These bugs are frustrating for the team to investigate, since they don’t get the logs they want. They have to do their investigation entirely through telemetry received from the reporting system. This gives an overview of the situation but typically lacks the necessary fine details to identify the source of the problem.

³ A common occurrence is filing an issue like “After the latest update, my Taskbar is not responding” under the “Setup and Update” category, and the Taskbar team gets a bug report with a lot of Setup and Update logs in it. To be fair, this is understandable from the customer’s point of view: The last interesting thing they did was update the system, so in their mind, this is an update issue. I’m not sure what we can do to reduce this type of misunderstanding.