A security researcher, Ammar Askar, has publicly disclosed a zero-day vulnerability in Visual Studio Code (VS Code) after losing trust in Microsoft’s bug reporting process. The exploit enables attackers to steal GitHub tokens through a flaw in github.dev, allowing unrestricted access to public and private repositories. Askar criticized Microsoft’s security response process for inadequate handling of previous vulnerabilities, stating that past experiences of being disregarded led him to forgo coordinated disclosure.
He emphasizes the need for better security practices and better treatment of security researchers to foster collaboration.