Microsoft under fire for threatening researcher who exposed unpatched vulnerabilities
What's the story
Microsoft is facing backlash after threatening a security researcher, known as "Nightmare Eclipse," with legal action and police involvement. The controversy erupted when the researcher publicly disclosed a number of unpatched vulnerabilities in Microsoft products, including BlueHammer, RedSun UnDefend, and YellowKey. These flaws were found in widely used software such as the Windows Defender antivirus engine and the BitLocker disk-encryption tool.
Disclosure debate
Company's complaint against Nightmare Eclipse
Microsoft's main complaint against Nightmare Eclipse is that they didn't report the bugs first, giving the company a chance to fix them. The tech giant argued that this would have been a "responsible" approach. Furthermore, Microsoft contended that by disclosing details of these vulnerabilities and their exploitation methods before they were fixed, Nightmare Eclipse may have inadvertently assisted malicious hackers.
Security concerns
Microsoft claims vulnerabilities were exploited in real-world attacks
Microsoft and the US cybersecurity agency CISA have claimed that some of the vulnerabilities disclosed by Nightmare Eclipse were exploited by hackers in real-world attacks. The company has threatened legal action against those who enable such criminal activity, saying its Digital Crimes Unit will continue pursuing cases against them. This unit's mission is to protect Microsoft through civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships.
Allegations
Nightmare Eclipse accuses Microsoft of mistreatment
In a series of blogs, Nightmare Eclipse alleged that they were mistreated by Microsoft. This included the revocation of their access to the Microsoft Security Response Center account, where researchers can report vulnerabilities. The researcher implied that they had no choice but to publicly disclose these vulnerabilities, which essentially turned them into zero-days, security flaws unknown to the affected software maker at the time of disclosure or exploitation.
Ethical dilemma
Controversy has sparked a debate over researchers' responsibilities
The public spat between Microsoft and Nightmare Eclipse has reignited a long-standing debate over the responsibilities of independent security researchers. While it is widely accepted that researchers should be compensated for their work, the question remains: do they have a duty to ensure that vulnerabilities they find are fixed? Many in the cybersecurity community have criticized Microsoft's handling of this issue, including Luta Security founder Katie Moussouris and former Microsoft employee Kevin Bueaumont.