The exact quote is "Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing your report based on factors including the complexity of successfully exploiting the vulnerability, the potential data and information exposure, as well as the systems and users that would be impacted, we have determined that they do not present a significant security risk to be eligible under our rewards structure." The funny thing is, they actually gave me $500 and a lifetime GitHub Pro for the submission.
Tangential, but that's quite interesting, I had no idea you could get GitHub Pro for life, and certainly not through something as "accessible" as bug bounties.
> an LLM can ingest unstructured data and turn it into a feed.
An LLM can try to do that, yes. But LLMs are lossy compression. RSS feeds are accurate, predictable, and follow a pre-defined structure. Using LLMs to ingest data which can easily be turned into an parseable data structure seems strange: use the LLM to do the "next part" of the formula (comprehension, decision making, etc)
I mean that your RSS feed can basically be "Go to https://techcrunch.com/latest/ and use each non-video item as a feed item" or "Go to x.com/some_user and make each tweet a feed item", and the LLM can do a perfect extraction of links from html response blobs.
The only thing you have to do is ensure it can reliably get the response html. Maybe MCP browser + proxy or mirror to seem more human.
I built this for myself. The idea is that each feed is a url + title + a prompt to tell the LLM how to extract the links you want so that it generalizes over all websites.
And each feed item is a canonicalized url + title + a local copy of the content at that url which is an improvement over RSS since so many RSS feeds don't even contain the content.
Use After Free Use After Free Use After Free Use After Free Use After Free Use After Free Use After Free.
I would be more satisfied if they gave a proper explanation of what these could have lead to rather than being "well maybe 0.001% chance to exploit this". They did vaguely go over how "two" exploits managed to drop a file, but how impactful is that? Dropping a file in abcd with custom contents in some folder relative to the user profile is not that impactful other than corrupting data or poisoning cache, injecting some javascript. Now reading session data from other sites, that I would find interesting.
You should generally assume that in a web browser any memory corruption bug can, when combined with enough other bugs and a lot of clever engineering, be turned into arbitrary code execution on your computer.
The most important bit being the difficulty, AI finding 21 easily exploitable bugs is a lot more interesting than 21 that you need all the planets to align to work.
You're right, I didn't know about what that "..." meant. It's kind of obvious what I meant though: "I don't know why all of these have ..." I've added that information to the post.
The greyed out options have no point because 99.99% of the links I click are already clean. Like so many of the other privacy enhancing options, just provide an option to "clean links automatically."
Link "cleaning" will sometimes just break a link entirely since it's a heuristic-based thing that removes query parameters that appear to be nonfunctional tracking parameters. Doing it by default would be setting up users for the occasional very bad experience.
Did you really make a blog post to tell the world that you don't know some things? That's not usual. If that is true, the only conclusion is that you should learn those things, and I'm not sure what I am supposed to get from reading it.
I think, or at least the way it reads to me is that you believe Firefox devs are wrong. This is what it looks like you meant. You believe the "..." is wrong to be there, and it should be removed. Which I do not agree with, and in any case we should first consider the "..." conventional meaning and only then we can maybe get to the conclusion that it should be removed. That it should be removed because you don't know why it is there is not reasonable, not to me.
In my humble opinion you should reflect a bit more on what you actually meant to say by this and also other points in the post.
> The greyed out options have no point because 99.99% of the links I click are already clean.
Frankly that's nonsense. They obviously have a point, and the fact you disagree with the point is something completely different. Firefox isn't specifically made for you. I appreciate the greyed out options in general, it helps me know they are there and that they may become available under some conditions.
I wonder if Microsoft actually likes running their free email service still. They wiped a ton of old Hotmail and Live.com emails some years ago (and then allowed new people to register those deleted names). I imagine they don't get much out of it anymore.
"Summary of changes to the Microsoft Services Agreement – June 15, 2021 [...] In the Outlook and Office Services sections, we’ve removed the Outlook.com section to clarify that an email address or username is not recycled into our system or assigned to another user."
It's wild to me they ever started doing this in the first place. And in 2013 no less, it isn't like the hijacking risk was some far off concept at that point.
It's certainly not free to run and maybe it doesn't really make sense for Microsoft to run Outlook.com anymore, except that it's an easy way to motivate people to having a Microsoft account.
Outlook.com certainly has to show up as an expense, one that Microsoft would like to reduce. When you look at what other providers charge for a single email account, it's hard to see Microsoft making money of Outlook.com. There's obviously something to be said for scale, but still, it must cost them something.
>It's certainly not free to run and maybe it doesn't really make sense for Microsoft to run Outlook.com anymore, except that it's an easy way to motivate people to having a Microsoft account.
it also funnels people into using exchange for work. more like a "marketing expense".
They wiped all the emails from my 25 year old Hotmail account. Pretty weak. I refuse to use Microsoft products except if forced, and do my best to evangelize this position.
Of course, it doesn't work though. I reported this to their bug bounty, they paid me a bounty, and told me "we won't be fixing it": https://joshua.hu/2025-bug-bounty-stories-fail#githubs-utf-f...
The exact quote is "Thanks for the submission! We have reviewed your report and validated your findings. After internally assessing your report based on factors including the complexity of successfully exploiting the vulnerability, the potential data and information exposure, as well as the systems and users that would be impacted, we have determined that they do not present a significant security risk to be eligible under our rewards structure." The funny thing is, they actually gave me $500 and a lifetime GitHub Pro for the submission.
reply