This is considered standard. You only go public with a live exploit if the company shows no interest in fixing it. The author receives no sympathy from me on this.

Regardless of if what the author did is deserving of sympathy, I think most of us can agree that the correct course of action is fixing the security bug rather than trying to cover it up. I mean we all know how well that works.

On the other hand, the only way to force a company react promptly is to publish the exploit.

In this case the exploit was apparently self-evident to nearly any technical mind -- I think that even I understood how simple and naive the bug was -- so you could safely assume that loads of fraudsters would've been milking the system while the bug report would slowly snake through the internal organs of Microsoft before eventually landing on some engineer's table.

It's only saddening that the first reaction is through legal department. Or did Microsoft say somewhere they fixed this already? Or take down the Bing Cashback until the issue is resolved?

This is the standard course of action for security professionals. Perhaps the author was just unaware of industry practices. To tell you the truth, I'm not sure what I would have done, and I even know about vendor disclosure. I probably wouldn't have given it much thought and just assumed that I missed something. Then maybe posted something to see what my flaw was. Then if I happened to be right I would have run afoul of vendor disclosure.

If you're not a pro, it's easy to lose track of best practices.

in retrospect, yes.

On the other hand, this is such a glaring security flaw that it's hard to have much sympathy for Microsoft (or Microsoft's infamous legal department), since this could cause significant problems for a merchant. The people deserve to know the truth. ;-) Thank you for making this public.