You can email without agreeing to anything. But for a serious issue Microsoft would obviously try and track down who you are and what jurisdiction you are in.
> The Microsoft Bug Bounty Programs Terms and Conditions ("Terms") cover your participation in the Microsoft Bug Bounty Program (the "Program"). These Terms are between you and Microsoft Corporation ("Microsoft," "us" or "we"). By submitting any vulnerabilities to Microsoft or otherwise participating in the Program in any manner, you accept these Terms.
You said "There is actually no way to give them a friendly heads up, and then do your own thing. The only way not to be bound is by not sending them any notification at all..."
Maybe you're right. I just find it confusing. The language is all-encompassing, doesn't read opt-in to me if taken literally: "By submitting any vulnerabilities to Microsoft". And I found no other pages describing "report in such and such way to have these terms apply instead". But I always have problems with this stuff, perhaps taking it too seriously.
Obviously they can write whatever they want in their policy documents. The thing is, sometimes this is about larger sums of money, or someones reputation, which may or may not actually lead to steps. That is in contrast with whatever TOS/EULA in account signups for some service or whatever, this feels more serious. I've seen some people getting harried after publishing something that fell _outside_ the servicing boundaries. Getting tangled up in whatever is already a loss in my book, even if you "win" in the end.
Note that that policy is also where they set out the safe-harbor conditions, which, according to my read, is tied to the bounty policy and not RD/CVD policy. The RD/CVD page itself specifies no such thing, so I relate them.
I do not speak for MSFT, but last time I spoke with MSRC indeed they would be happy to receive your vulnerability report even if you did not wish to participate in any particular bug bounty program.
I couldn't find a public copy of that.
The best starting point I found for reporting vulnerabilities was: https://github.com/microsoft/MSRC-Security-Research/security...
You can email without agreeing to anything. But for a serious issue Microsoft would obviously try and track down who you are and what jurisdiction you are in.