A research project targeting vulnerabilities in widely used content access and protection technology from Microsoft raises some questions over certain aspects of responsible disclosure.

For the past several years, Adam Gowdiak, founder and CEO of AG Security Research (formerly Security Explorations) has been looking into the security of digital content, specifically video streaming platforms. Gowdiak is best known for his Java and TV/streaming platform security research.     

The researcher recently demonstrated that an attacker could obtain content keys protected by Microsoft’s PlayReady media file copying prevention technology and use those keys for unauthorized movie downloads from popular streaming services such as Netflix, HBO’s Max, Amazon Prime Video and Sky Showtime.  

Microsoft says PlayReady is the most widely deployed content protection technology in the world.

Gowdiak’s hacking method leverages vulnerabilities in Protected Media Path (PMP) technologies, which enforce content security in Windows environments, and Warbird compiler technology, which is designed to make reverse engineering Windows components more difficult. 

The researcher has been informing Microsoft about his findings since 2022, but he has been displeased with the tech giant. Microsoft initially said it was an implementation issue rather than a vulnerability in its technology.

Gowdiak said Microsoft started showing more interest in the research findings in April 2024 and informed him that his work may be eligible for a reward through its bug bounty program. 

However, the researcher initially refused to share technical details as he did not agree with this approach, arguing that nine months had been spent on the research, and submitting the findings through a bug bounty program would mean giving up intellectual property and know-how stemming from the research without any guarantee of payment.

Instead, Gowdiak suggested that a commercial agreement with Microsoft, where the tech giant  would compensate the work with an amount of money agreed upon by both parties, would be more fair. 

However, since they could not reach any agreement, Gowdiak decided in November 2024 to provide Microsoft — without expecting anything in return — with technical details that should make it easy for the company to confirm the impact of the research and address the vulnerabilities. 

The tech giant may be able to fix some of the issues fairly easily, but architectural/design issues may pose a bigger problem, the researcher said.

Gowdiak also made public some technical information a few weeks after sharing his findings with Microsoft, but made sure it would not be easy for someone to abuse the publicly available details for piracy or other illegal activities.

The researcher told SecurityWeek that the goal of the public disclosure was to raise awareness of the uncovered issues among users and streaming platforms, and trigger some action from Microsoft (ie, confirming and fixing the findings).

Gowdiak has been frustrated with Microsoft’s handling of his findings and the story raises some questions on whether companies should be more open to bug bounty program alternatives for certain types of research.

“It’s hard to perceive Microsoft and its Rewards Program in other terms than a pawnshop,” Gowdiak said. “Researchers come to Microsoft and show the stuff they have. It is Microsoft that decides if something is valuable and how much is gonna be paid for it (remember, the price is non-negotiable, all IP gets transferred to Microsoft upon submission).” 

The researcher added, “The situation is even worse than at a real pawnshop as the disclosure of vulnerability information immediately puts the reporting party at the losing side (no way back, in a real pawn shop one can say no to the offered price and take their toys back home). Does it look like a fair process?”

SecurityWeek reached out to Microsoft several times in the past months regarding this research, but the tech giant did not want to comment.

However, we have found a third party who has agreed to share some insights from the perspective of organizations that rely on bug bounty programs to encourage responsible vulnerability disclosures.

Casey Ellis, founder and advisor at bug bounty platform Bugcrowd and co-founder of the disclose.io vulnerability disclosure project, described this story as “a good example of why coordinated disclosure is so important, and why full disclosure will always exist as a failure mode.” 

“The fact that security research will eventually be published puts accountability on both the researcher and the receiving company, and creates an organic forcing function to ensure bugs are properly considered, corrected if necessary, and the public notified of the risk,” Ellis told SecurityWeek.

Regarding the Microsoft DRM hacking research, Ellis said, “While I sympathize with the circumstances around these findings and have seen similar situations many times before, I strongly discourage this approach. The idea of dangling incomplete research with the promise of the rest on payment pivots an otherwise good-faith conversation to one that begins to sound a lot like extortion.”

Asked about his thoughts on using bug bounty programs for some types of vulnerabilities and offering alternative disclosure avenues for more extensive research, Ellis said he fully agrees with the approach, but only when the research has been self-commissioned. 

“This is one of the reasons the distinction between public and private bug bounty programs exists, and why I’ve consistently pushed for standardization of vulnerability disclosure terms with a fully open scope and coordinated disclosure timelines as a basis for public bug bounty programs,” Ellis said. 

“It’s a reflection of the fact that vulnerabilities and security research happen, whether invited by companies or not, and that the decision to be bound by disclosure terms is, in practice and reality, a decision that is 100% at the discretion of the individual hacker,” Ellis explained. 

“This is an issue of the physics of how information and the internet itself works, and it’s foolish to pretend otherwise. As anti-hacking laws like CFAA are amended to reflect the role of hackers who operate in good-faith, and as anti-copyright laws like DMCA are modernized with exemptions to reflect the same, I expect we’ll see more of this conversation bubbling up,” he added.

The expert concluded, “Security research isn’t one-size-fits-all. If a vulnerability exists on publicly accessible software and a researcher discovers it, what the researcher decides to do from that point forward is ultimately their decision. Companies can establish public bug bounty programs to incentivize the kinds of behavior they want, but it’s ultimately an exercise in soft power, not a guaranteed means of control. This is one of the reasons why reasonable disclosure terms and correctly set incentives are so important in public bounty and vulnerability disclosure programs.”

Related: Microsoft Bug Bounty Payouts Increased to $16.6 Million in Past Year

Related: Big Rewards Offered in Dedicated Google Cloud Bug Bounty Program

Related: Microsoft Bets $10,000 on Prompt Injection Protections of LLM Email Client