Microsoft Threatens Legal Action Over Exploit Disclosures
▼ Summary
– A user named Nightmare Eclipse, possibly a disgruntled former employee, has been publicly posting zero-day exploit code and feuding with Microsoft.
– Microsoft plans to pursue a criminal case against Nightmare Eclipse for improper vulnerability disclosure and disabled their accounts on GitHub, GitLab, and MSRC.
– Cybersecurity researcher Kevin Beaumont notes that Microsoft’s actions make it impossible for Nightmare Eclipse to responsibly report future vulnerabilities after being banned.
– Beaumont criticizes Microsoft for hiring people who have publicly posted zero-day exploits or have criminal hacking convictions, and for purchasing exploits from brokers.
– Beaumont argues that Microsoft’s attempt to criminalize non-compliance with its disclosure framework would be hard to defend in court due to its own inconsistent history.
Microsoft is drawing sharp criticism over how it’s handling the disclosure of zero-day exploits, specifically in its dealings with a figure known online as Nightmare Eclipse. This individual has been locked in a public dispute with the company, sharing proof-of-concept exploit code that has raised alarms across the cybersecurity community. While some posts from Nightmare Eclipse hint at being a disgruntled former employee, it’s the tech giant’s response that has truly caught the attention of security researcher Kevin Beaumont.
Microsoft has indicated it may pursue criminal charges against Nightmare Eclipse for failing to adhere to what the company calls “proper coordination” in vulnerability disclosure. In addition, Microsoft disabled the user’s accounts on GitHub, GitLab, and the Microsoft Security Response Center. As Beaumont notes, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”
What makes this situation particularly troubling to Beaumont is the apparent double standard. Microsoft has hired individuals who have publicly posted zero-day exploits in the past, including some with criminal hacking convictions on their records. The company has also purchased exploits from third-party brokers. This history, Beaumont argues, undermines Microsoft’s position.
Beaumont summed it up bluntly: “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court , because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”
(Source: The Verge)
