akerl_op2 hours ago
Microsoft's response to several recent stories including https://news.ycombinator.com/item?id=48315968
Reminder that CVD is a standard (in the same way that Test Driven Development is a standard approach that someone might choose), not the standard (something that everyone must or should do). Attempting to frame CVD as "responsible disclosure" is at attempt to staple a value judgement onto that approach.
Also, for software like Windows where researchers find vulnerabilities by inspecting software locally, the idea of prosecuting a US-based researcher for disclosing a vulnerability to the public is laughable and would not succeed.