This tool also allows for a convenient way to debug a protected process. By launching WinDbg as a protected process, or a debugging server, we are now able to attach and debug protected processes. You can download this tool here. You can learn more and find additional resources about debugging protected processes here. Vendor Vertigo – A Few Examples of Difficult DisclosuresZDI’s goal is always to get bugs patched and disclosed properly. We do our best to work with vendors to meet this goal. We recently published a separate blog that highlighted the ongoing erosion of trust between vendors and researchers that we have seen firsthand through our program. In this section, we will provide more context to illustrate the scope of this problem collected throughout this project.Intel CorporationAn anonymous external researcher submitted several link following vulnerabilities in Intel’s software that we ended up having to disclose without a patch. We submitted the first case to them on 09/13/2023. The next day they responded to us with the following: “We are rejecting this issue. After reviewing the information provided in this report, the Intel PSIRT team has determined that this report is out of scope of the Intel® Bug Bounty Program and therefore is not eligible for rewards. Symlinks are an Windows OS feature that are not managed by Intel Software.For more details about symlink vulnerabilities see https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1074Best Regards,Intel PSIRT”After they sent this, we wrote back that same day with a detailed explanation of why this should be remediated alongside several published examples. It is also worth noting that the ZDI never requests or collects bug bounties from vendors. We didn’t receive a response back.  Timeline: 09/13/23 – ZDI reported the vulnerability to the vendor.09/14/23 – The vendor states they are rejecting the case as it is out of the scope of the Intel Bug Bounty Program.09/14/23 – ZDI provided additional details on why this vulnerability should be remediated and that we intend to publish the case as a zero-day advisory on 09/21/23. — Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.09/21/23 – No response from Vendor. ZDI publishes zero-day advisory.Two weeks later, the second case followed the timeline below: 10/03/23 – ZDI reported the vulnerability to the vendor.10/04/23 – Vendor acknowledges the report and said they are reviewing the case.11/27/23 – The vendor states they are rejecting the case because it is a duplicate. 11/28/23 – The vendor sends an additional email that states ” Symlinks are an Windows OS feature that are not managed by Intel Software”.12/05/23 – ZDI again provided additional details on why this vulnerability should be remediated and that we intend to publish the case as a zero-day advisory on 12/12/23. 12/06/23 – The vendor requests when and where ZDI plans to disclose the vulnerability. 12/12/23 – ZDI publishes zero-day advisory.These two cases with Intel emphasize a serious disconnect and apparent lack of commitment to understanding and addressing critical issues in their software. PaperCutIf you are not familiar with PaperCut, their software is deployed to manage printing in various sectors including academia, healthcare, and government. Their website strongly emphasizes security, mentioning it several times on their website’s landing page. To their credit, they have been proactive in patching all the vulnerabilities we have reported to them thus far.However, we have encountered alarming issues with PaperCut’s handling of vulnerability disclosures. Despite our efforts to provide comprehensive evidence and detailed explanations during calls and email exchanges, PaperCut has chosen to downplay the severity and number of vulnerabilities in its publications. In a call with them over a year ago, they explained that any vulnerability with a severity above 7.0 requires them to notify government bodies, which then issue alerts to the public. To avoid this obligation, PaperCut appears to have misrepresented these vulnerabilities.As shown in the following screenshot, they have chosen to condense and categorize four vulnerabilities that include various vulnerability types with different impacts into two CVEs. These CVEs were given the same incorrect CVSS score and assigned to our cases based on whether triggering the bug will create or delete files on the system. This short-sighted and negligent approach leaves the public blind to the real impact of the reported vulnerabilities.