No, it is not a security vulnerability that there is no certificate of appreciation for reporting a bug

Raymond Chen

We received a security vulnerability report asking for a certificate of appreciation.

Here’s how the story unfolds: The finder posted a screen shot on Twitter demonstrating a bug, and they @-mentioned the Windows Developer Twitter account. The Windows Developer account replied by apologizing for the inconvenience and asking them to submit the issue through the Feedback Hub app, so it will get reported to the engineering team.

The finder then submitted a security vulnerability report saying, “I reported a bug on Twitter, and I got a response from the relevant team. Can I have a certificate of appreciation for filing a bug?”

Answering the immediate question: No, there is no certificate of appreciation for filing a bug. The happy feeling of accomplishment is its own certificate.¹

But I have some notes.

The finder didn’t get a response from the relevant team, as they claimed. They @-mentioned the Windows Developer team. That team supports software developers on Windows. But this was not a software developer issue; this was an end-user issue. Their response was a polite version of “Sir, this is a Wendy’s.” But they did recommend the correct way to report the bug, which is to use the Feedback Hub app. When you submit an issue with the Feedback Hub app, it collects additional diagnostic information related to the category of issue you are reporting, so that the engineering team can investigate.² It also creates an entry in the database so the team can keep track of it. (Twitter posts are not a good defect tracking system.)

Furthermore, I don’t see any evidence that the finder followed the instructions and submitted a report via the Feedback Hub app. I couldn’t find a matching bug from that time frame. I guess they considered the reply from the Windows Developer account to be confirmation that the issue was received by the correct team and has been submitted for investigation.

So not only is the finder asking for an nonexistent certificate of appreciation, they didn’t even do the thing that would have merited a certificate of appreciation, had one existed.

As for submitting a security vulnerability report, the lack of a certificate of appreciation is not a security vulnerability, so it’s not clear why they’re contacting the Security Response Center. “Sir, this is another Wendy’s.”

¹ After you submit the issue in the Feedback Hub app, you get an acknowledgement screen that has a picture of the Windows Community Champions team holding a thank-you sign. You could screen shot that and print it out as your certificate of appreciation, I guess. But the finder doesn’t appear to have gotten that far, so they never saw this “certificate opportunity”.

² Sometimes, users select the wrong category, like reporting a “Taskbar not responding” issue under the “Bluetooth” category,³ and the Taskbar team gets a bug report with a lot of Bluetooth logs in it. These bugs are frustrating for the team to investigate, since they don’t get the logs they want. They have to do their investigation entirely through telemetry received from the reporting system. This gives an overview of the situation but typically lacks the necessary fine details to identify the source of the problem.

³ A common occurrence is filing an issue like “After the latest update, my Taskbar is not responding” under the “Setup and Update” category, and the Taskbar team gets a bug report with a lot of Setup and Update logs in it. To be fair, this is understandable from the customer’s point of view: The last interesting thing they did was update the system, so in their mind, this is an update issue. I’m not sure what we can do to reduce this type of misunderstanding.


Discussion is closed. Login to edit/delete existing comments.

  • Drew Cooper 0

    I’ve run a couple of bug bounty programs.

    They are incredibly time consuming. “Security researchers” would run Nessus or OWASP ZAP, find, and report a bug, then be upset when we told them we knew about it and it’s just not (going to be?) fixed. I could never talk internal teams into just “fixing” everything the scanners found static analysis noise, the entire dev team wasn’t exposed to bug bounty noise and I got serious pushback against making those scans part of CI. And I could never hand the tasks off to a PM because PMs were deemed “not technical enough” to respond to possible bugs.

    I haven’t heard much about startups with bug bounty programs in a while.

    • Simon Geard 0

      Oh, don’t get me started on would-be “security researchers”… a bunch of chimpanzees would be more useful than most of that lot. One of my jobs includes keeping an eye on the CVE reports for all of our third-party stack, and it’s ridiculous how often some new “Critical” item appears on the list which on inspection leads to a bunch of exasperated developers who are left scrambling to respond to a complete non-issue.

      There was a case a couple of years ago where someone had obviously just done some kind of code search across all of GitHub looking for some pattern, then logged hundreds of dodgy CVEs — most of which were poorly targeted, resulting in Python-related vulnerabilities being logged against popular Java frameworks like Spring. And between my wasted time, and that of all the other architects in my position across the world, and that of the upstream projects dealing with this crap… these morons have wasted a lot of other people’s time and money.

  • Ron Parker 0

    And all this time I’ve thought that the right way to report a bug was to just tweet it where Jen Gentleman would see it.

  • Mystery Man 0

    Mr. Chen, do you have proof that this actually happened? For instance, could you please post a link to the tweet or the message requesting certification of appreciation?

    • Ray Koopa 1

      You should read this blogs Ground Rules first before asking something Raymond really doesn’t need to do.

      • Mystery Man 1

        And so, my courteous question receives a hostile reaction. The last time I checked the Code of Conduct document linked below, such hostile reactions were forbidden.

        I am no alien to writing blog posts that do not disclose the identities of people involved. However, in those posts, the crux of the matter is something technical, not a comment on the conduct of those undisclosed individuals.

        You know, Mr. Chen, instead of writing real-world accounts without shouldering the burden of proof, you could write fiction and be lauded as a fiction writer like Isaac Asimov. All you have to do is to add a disclaimer at the top of this post and choose a name for the antagonist of this post.

        • Raymond ChenMicrosoft employee 4

          Ray Koopa’s response wasn’t particularly hostile in my opinion. It just pointed you to the Ground Rules. I was actually afraid that I revealed *too much* information and that the tweet would be easy to find, so I’m somewhat heartened that you couldn’t find it. I’m not sure what proof would satisfy you, seeing as you could claim that I fabricated any internal communications.

          • Mystery Man 1

            It’s remarkable how much fear governs most of your blogging conduct. You fear that you might have given too much info already. You’re afraid that your proof might not be good enough for me. The other element in your blogging is omission. You even omit a publically viewable tweet.

            If I had to guess, I’d say you’ve seen a case of outrageous behavior from a user and decided to write about it so that your readers empathize. But in doing so, you scrubbed every element that evoked the original emotion in you. Are you surprised that one of your readers (yours truly) is not empathizing?

            Omission and fear are traits of oppressive regimes. They constantly broadcast news items in the general form of “someone did something, but we’re not saying who.” After a while, they lose credibility. (Back in 2008, your blog posts received dozens of comments. What happened?)

    • Adam Rowell 4

      For the purpose of this post, it doesn’t need to have happened. Raymond is describing how to (and how not to) report bugs to Microsoft, the errant Tweet being hypothetical (or not) doesn’t matter to that explanation.

  • Star Dorminey 0

    I’ve reported a few bugs in Feedback Hub but haven’t seen the thank-you sign, is it new?

    Also, the bug categories are pretty confusing. Like, I once submitted a bug that you couldn’t navigate the emoji picker with dictation software – does that go to accessibility or shell? Stuff like that.

    • Michael Taylor 0

      I have been using the Feedback Hub since Win 10 and I always get the thank you picture of the team. It should show up on the same page that thanks you for the feedback and notes they won’t respond to you. But I’m using an English version of the OS so if you’re using a different version then maybe it is different??

  • Nick 0

    > the Taskbar team gets a bug report with a lot of Setup and Update logs in it. To be fair, this is understandable from the customer’s point of view: The last interesting thing they did was update the system, so in their mind, this is an update issue. I’m not sure what we can do to reduce this type of misunderstanding.

    A good start would be to explain to users what you want them to do. The Feedback Hub UI seems to be following the unfortunate design trend of “if less is more then none is best”:

    A sentence above “Choose a category” that says something like “Select the category that best describes where the problem is or what feature isn’t working.” would help users know that you that want to know that the Taskbar is broken and not that they did an Update which caused a broken taskbar. And if it asked whether the feedback was due to a problem or was a product suggestion or a question, you’d be able to make the category suggestion more appropriate to the circumstance.

  • Scarlet Manuka 1

    @Mystery Man (for some reason – maximum depth? – I don’t see a reply link for your latest comment, which is of course the one I want to reply to):

    “Back in 2008, your blog posts received dozens of comments. What happened?”
    The comments dropped off significantly in number when it became necessary to log in to leave one. It’s not a particularly high barrier to entry, but if you just wanted to make a casual comment in passing it’s not worth the effort. I certainly comment now only 10-20% of the time that I have the impulse to, primarily because what I had to say in the other cases wasn’t so significant that I could be bothered logging in to say it.

    No need to imply any cause in Mr. Chen’s writing style, which has always been cautious about revealing any identifying information. Indeed it seems to me that it has become slightly less so over time.

    • Ray Koopa 0

      Mystery Man stated themselves their questions are rhetorical. Their writing style makes it seem like hiding provocations as facts behind that declaration to the uninitiated, but it at least makes clear they don’t need to be answered nor have a meaningful answer.

Feedback usabilla icon