Researcher Criticizes Microsoft Over Video Requirement for Bug Reports

A well-known vulnerability analyst has publicly criticized the Microsoft Security Response Center (MSRC) for refusing to process a detailed bug report without a proof-of-concept (POC) video. The incident has sparked debate within the cybersecurity community about the necessity of video submissions for vulnerability disclosures. Will Dormann, a senior principal vulnerability analyst, reported a bug to […] The post Researcher Criticizes Microsoft Over Video Requirement for Bug Reports appeared first on Cyber Security News.

Mar 17, 2025 - 14:45

Researcher Criticizes Microsoft Over Video Requirement for Bug Reports

A well-known vulnerability analyst has publicly criticized the Microsoft Security Response Center (MSRC) for refusing to process a detailed bug report without a proof-of-concept (POC) video.

The incident has sparked debate within the cybersecurity community about the necessity of video submissions for vulnerability disclosures.

Will Dormann, a senior principal vulnerability analyst, reported a bug to MSRC with a clear written explanation and supporting screenshots. However, MSRC responded by requesting a video demonstration of the exploit, stating they could not proceed.

Dormann expressed frustration over this demand, pointing out that the video would merely replicate the actions already depicted in his screenshots, typing commands and observing Windows responses on the screen.

He described the request as unnecessary and indicative of rigid workflows rather than genuine engagement with the report.

In response, Dormann complied with malicious humor. He created a 15-minute video featuring a techno soundtrack and 14 minutes of inactivity. The video also included a brief Zoolander reference mocking Microsoft’s request.

Ironically, when Dormann attempted to upload the video to Microsoft’s portal, the submission failed due to a 403 error.

Dormann’s critique coincided with MSRC’s blog post promoting its coordinated vulnerability disclosure program. While Microsoft emphasized its commitment to collaboration with researchers, Dormann’s experience highlighted concerns about bureaucratic hurdles.

He noted that requiring POC videos is not standard practice across the industry; organizations like CISA and the UK’s National Cyber Security Centre (NCSC) typically accept written reports with optional supplementary files.

Dormann further elaborated on his frustrations via social media, stating that researchers who take time to report vulnerabilities deserve better treatment.

He revealed that two of his recent reports were delayed due to MSRC’s insistence on video evidence, while another was outright rejected without proper review. Dormann argued that such practices discourage researchers from engaging with vendors in good faith.

The cybersecurity community has largely sided with Dormann, emphasizing that clear written documentation should suffice for vulnerability disclosures. Critics argue that demanding videos adds unnecessary complexity and signals a lack of understanding from reviewers.

While platforms like HackerOne occasionally request videos, these are typically optional and reserved for cases where visual evidence adds significant value.

Microsoft has not responded publicly to Dormann’s complaints or clarified its policy regarding POC videos. The incident underscores broader concerns about how technology companies handle vulnerability disclosures and engage with security researchers.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post Researcher Criticizes Microsoft Over Video Requirement for Bug Reports appeared first on Cyber Security News.