Problem is, sending a C&D letter is doubly ineffective:
- it barely has any effect in keeping potential exploiters from getting access to the vulnerability;
- someone who cared enough about MS so that they could better themselves is treated like a nuisance (at best).
In fact, compare that to the way the last TLS-related vulnerability was handled; in both cases, a critical flaw is revealed before a fix was ready. In the TLS case, it was handled with forthcoming and transparency. I'm not saying that MS should do the same (MS probably can't); but they would show more respect to Samir, and to all their bing cashback clients, by:
- Ask Samir to remove most of the "sensible" post information - you know, instead of threaten with litigation from the get-go.
- Take an official stance on that problem; what's the risk, who's affected, what should be done - instead of leaving bing cashback clients vulnerable to misinformation and abuse.