We received a security vulnerability report asking for a certificate of appreciation.
Here’s how the story unfolds: The finder posted a screen shot on Twitter demonstrating a bug, and they @-mentioned the Windows Developer Twitter account. The Windows Developer account replied by apologizing for the inconvenience and asking them to submit the issue through the Feedback Hub app, so it will get reported to the engineering team.
The finder then submitted a security vulnerability report saying, “I reported a bug on Twitter, and I got a response from the relevant team. Can I have a certificate of appreciation for filing a bug?”
Answering the immediate question: No, there is no certificate of appreciation for filing a bug. The happy feeling of accomplishment is its own certificate.¹
But I have some notes.
The finder didn’t get a response from the relevant team, as they claimed. They @-mentioned the Windows Developer team. That team supports software developers on Windows. But this was not a software developer issue; this was an end-user issue. Their response was a polite version of “Sir, this is a Wendy’s.” But they did recommend the correct way to report the bug, which is to use the Feedback Hub app. When you submit an issue with the Feedback Hub app, it collects additional diagnostic information related to the category of issue you are reporting, so that the engineering team can investigate.² It also creates an entry in the database so the team can keep track of it. (Twitter posts are not a good defect tracking system.)
Furthermore, I don’t see any evidence that the finder followed the instructions and submitted a report via the Feedback Hub app. I couldn’t find a matching bug from that time frame. I guess they considered the reply from the Windows Developer account to be confirmation that the issue was received by the correct team and has been submitted for investigation.
So not only is the finder asking for an nonexistent certificate of appreciation, they didn’t even do the thing that would have merited a certificate of appreciation, had one existed.
As for submitting a security vulnerability report, the lack of a certificate of appreciation is not a security vulnerability, so it’s not clear why they’re contacting the Security Response Center. “Sir, this is another Wendy’s.”
¹ After you submit the issue in the Feedback Hub app, you get an acknowledgement screen that has a picture of the Windows Community Champions team holding a thank-you sign. You could screen shot that and print it out as your certificate of appreciation, I guess. But the finder doesn’t appear to have gotten that far, so they never saw this “certificate opportunity”.
² Sometimes, users select the wrong category, like reporting a “Taskbar not responding” issue under the “Bluetooth” category,³ and the Taskbar team gets a bug report with a lot of Bluetooth logs in it. These bugs are frustrating for the team to investigate, since they don’t get the logs they want. They have to do their investigation entirely through telemetry received from the reporting system. This gives an overview of the situation but typically lacks the necessary fine details to identify the source of the problem.
³ A common occurrence is filing an issue like “After the latest update, my Taskbar is not responding” under the “Setup and Update” category, and the Taskbar team gets a bug report with a lot of Setup and Update logs in it. To be fair, this is understandable from the customer’s point of view: The last interesting thing they did was update the system, so in their mind, this is an update issue. I’m not sure what we can do to reduce this type of misunderstanding.
@Mystery Man (for some reason - maximum depth? - I don't see a reply link for your latest comment, which is of course the one I want to reply to):
"Back in 2008, your blog posts received dozens of comments. What happened?"
The comments dropped off significantly in number when it became necessary to log in to leave one. It's not a particularly high barrier to entry, but if you just wanted to make a casual...
Mystery Man stated themselves their questions are rhetorical. Their writing style makes it seem like hiding provocations as facts behind that declaration to the uninitiated, but it at least makes clear they don’t need to be answered nor have a meaningful answer.
> the Taskbar team gets a bug report with a lot of Setup and Update logs in it. To be fair, this is understandable from the customer’s point of view: The last interesting thing they did was update the system, so in their mind, this is an update issue. I’m not sure what we can do to reduce this type of misunderstanding.
A good start would be to explain to users what you want them to...
I’ve reported a few bugs in Feedback Hub but haven’t seen the thank-you sign, is it new?
Also, the bug categories are pretty confusing. Like, I once submitted a bug that you couldn’t navigate the emoji picker with dictation software – does that go to accessibility or shell? Stuff like that.
I have been using the Feedback Hub since Win 10 and I always get the thank you picture of the team. It should show up on the same page that thanks you for the feedback and notes they won’t respond to you. But I’m using an English version of the OS so if you’re using a different version then maybe it is different??
Mr. Chen, do you have proof that this actually happened? For instance, could you please post a link to the tweet or the message requesting certification of appreciation?
For the purpose of this post, it doesn’t need to have happened. Raymond is describing how to (and how not to) report bugs to Microsoft, the errant Tweet being hypothetical (or not) doesn’t matter to that explanation.
You should read this blogs Ground Rules first before asking something Raymond really doesn’t need to do.
And so, my courteous question receives a hostile reaction. The last time I checked the Code of Conduct document linked below, such hostile reactions were forbidden.
I am no alien to writing blog posts that do not disclose the identities of people involved. However, in those posts, the crux of the matter is something technical, not a comment on the conduct of those undisclosed individuals.
You know, Mr. Chen, instead of writing real-world accounts without shouldering the...
Ray Koopa’s response wasn’t particularly hostile in my opinion. It just pointed you to the Ground Rules. I was actually afraid that I revealed *too much* information and that the tweet would be easy to find, so I’m somewhat heartened that you couldn’t find it. I’m not sure what proof would satisfy you, seeing as you could claim that I fabricated any internal communications.
It's remarkable how much fear governs most of your blogging conduct. You fear that you might have given too much info already. You're afraid that your proof might not be good enough for me. The other element in your blogging is omission. You even omit a publically viewable tweet.
If I had to guess, I'd say you've seen a case of outrageous behavior from a user and decided to write about it so that your readers...
And all this time I’ve thought that the right way to report a bug was to just tweet it where Jen Gentleman would see it.
I've run a couple of bug bounty programs.
They are incredibly time consuming. "Security researchers" would run Nessus or OWASP ZAP, find, and report a bug, then be upset when we told them we knew about it and it's just not (going to be?) fixed. I could never talk internal teams into just "fixing" everything the scanners found static analysis noise, the entire dev team wasn't exposed to bug bounty noise and I got serious pushback...
Oh, don't get me started on would-be "security researchers"... a bunch of chimpanzees would be more useful than most of that lot. One of my jobs includes keeping an eye on the CVE reports for all of our third-party stack, and it's ridiculous how often some new "Critical" item appears on the list which on inspection leads to a bunch of exasperated developers who are left scrambling to respond to a complete non-issue.
There was a...