After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft’s veiled threat reignites a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants.
On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.
The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA.
“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit has the mission of protecting the company through different strategies, including “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website).
In a series of blogs published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse’s implication was that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days, a specific term for security flaws that are unknown to the software maker affected at the time they are disclosed or exploited.
The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers’ accounts on those platforms have been banned.
Nightmare Eclipse and Microsoft did not respond to a request for comment.
Cybersecurity veterans warn of chilling effect
This public spat brings back a long-running and still somewhat controversial debate: Do independent security researchers have a duty to make sure the vulnerabilities they find get fixed? And how far are they supposed to go to make sure the companies whose products are vulnerable actually fix them?
One part of this debate, which has been fully settled and widely recognized, is that researchers deserve to get paid for their work. While it may sound obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 called “No More Free Bugs.” Almost 20 years later, most companies small and large pay “bug bounty” financial rewards, which can today run as high as six figures or more to researchers who privately disclose bugs and coordinate publishing their details once the bugs are fixed.
In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft. It’s fair to say that much of the cybersecurity community is vocally unhappy about how Microsoft is handling this issue. This includes cybersecurity veterans, such as Luta Security founder Katie Moussouris, who while working at Microsoft in the mid- to late 2000s pioneered bug bounties and convinced the technology giant to move away from the concept of “responsible disclosure” by framing the process as “coordinated disclosure.”
“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch, referring to Microsoft’s blog post. “Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.”
Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, “making it less safe for all of us.”
Security researcher and former Microsoft employee Kevin Beaumont also called out Microsoft in a blog post, describing the company’s position a “dumpster fire of its own making.”
“Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” wrote Beaumont. “Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low.”
When you purchase through links in our articles, we may earn a small commission. This doesn’t affect our editorial independence.