Microsoft criticized for threatening security researcher with criminal probe
▼ Summary
– Microsoft threatened legal action against security researcher “Nightmare Eclipse” for publicly disclosing unpatched bugs in products like Defender and BitLocker, including exploit code.
– Microsoft argued the researcher did not responsibly report the flaws, and that publishing details before patches aided malicious hackers, with some bugs already used in real-world attacks.
– The researcher claimed Microsoft mistreated them by revoking their MSRC account access, leaving them no choice but to release the vulnerabilities as zero-days.
– Cybersecurity veterans like Katie Moussouris criticized Microsoft’s threat as over the top, warning it would erode researcher trust and create a chilling effect on bug reporting.
– The controversy reignites debate over whether independent researchers have a duty to privately disclose vulnerabilities to companies before public release.
After a security researcher publicly disclosed multiple unpatched flaws in Microsoft products , including working exploit code , the company has responded with a veiled threat of legal action and a potential criminal referral. This confrontation reignites a long-standing debate over the obligations of independent security researchers when dealing with vulnerabilities in products made by large, well-funded tech corporations.
On Wednesday, Microsoft published a blog post sharply criticizing the researcher, known online as “Nightmare Eclipse,” for releasing details about a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. These vulnerabilities impacted widely used tools such as the Windows Defender antivirus engine and the BitLocker disk-encryption system.
Microsoft’s central grievance is that the researcher failed to privately report the flaws so the company could patch them before going public. The company described this omission as a departure from what it called “responsible” disclosure. By publishing exploit code before fixes were available, Microsoft argued, Nightmare Eclipse may have enabled malicious hackers. According to both Microsoft and the U. S. Cybersecurity and Infrastructure Security Agency (CISA), some of the disclosed vulnerabilities have already been exploited in real-world attacks.
“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity , coordinating as needed with law enforcement around the world,” Microsoft stated. The Digital Crimes Unit is tasked with protecting the company through civil lawsuits, technical countermeasures, criminal referrals, and public-private partnerships.
In a series of blog posts over the past few weeks, Nightmare Eclipse claimed to have attempted communication with Microsoft but alleged the company mistreated them, including revoking access to their Microsoft Security Response Center (MSRC) account , the portal researchers use to report bugs. The researcher implied they had no alternative but to release the vulnerabilities publicly, effectively turning them into zero-days, which are flaws unknown to the affected vendor at the time of disclosure or exploitation.
The bugs were published on GitHub (owned by Microsoft) and GitLab. Both platforms have since banned the researcher’s accounts. Neither Nightmare Eclipse nor Microsoft responded to requests for comment.
Security veterans warn of a chilling effect
This dispute revives a contentious and still unresolved question: Do independent security researchers bear a responsibility to ensure vulnerabilities they discover are fixed? And how far must they go to compel companies to act?
One aspect of the debate has largely been settled: researchers deserve compensation for their work. This principle, now widely accepted, was hard-won through campaigns like “No More Free Bugs,” launched in 2009. Today, most companies, large and small, offer bug bounty programs that can pay researchers six figures or more for privately disclosing bugs and coordinating public disclosure only after patches are released.
In the wake of the Nightmare Eclipse controversy, numerous researchers have shared their own negative experiences reporting bugs to Microsoft. A significant portion of the cybersecurity community is openly frustrated with how the company is handling the situation. Among the critics is Katie Moussouris, founder of Luta Security, who worked at Microsoft in the mid-to-late 2000s and helped pioneer bug bounties. She also convinced the company to shift from “responsible disclosure” to “coordinated disclosure.”
“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch. “Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.”
Moussouris warned that eroding trust could create a chilling effect, discouraging researchers from reporting bugs and ultimately “making it less safe for all of us.”
Security researcher and former Microsoft employee Kevin Beaumont also criticized the company, calling its stance a “dumpster fire of its own making” in a blog post.
“Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” Beaumont wrote. “Responsible disclosure quite often is framed to protect the product owner, not the customer , using it to try to criminally prosecute people is a new low.”
(Source: TechCrunch)
