In the last months, our automated vulnerability detection platform has been working continuously, researching different products from various vendors. The platform found very interesting results, including Heap Overflows, Use After Frees, Uninitialized Data Accesses, Null Dereferences and other vulnerability types.
One notable vendor that we reported to was Microsoft. The reports were according to our 90 days responsible disclosure policy, and contained vulnerabilities in products such as MS Word, Excel, Edge and others.
Microsoft chose to reject many of those reports, some of them automatically, for the claim they’re not meeting their security bar, as they were not submitted with an exploitation proof-of-concept (POC). Which seems to continue Microsoft’s attitude towards security submissions, as seen many times before.
Cybellum’s technology is build for automatic vulnerability detection, and not for exploitation, therefore no exploitation attempts were made to any of the submissions.
We have published some of those rejected vulnerabilities on our GitHub. You’re kindly invited to have a look, and maybe to find there something that meets your own security bar.