After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening legal action and calling the police to deal with them. Microsoft’s veiled threat rekindles a long-running argument about the responsibility, if any, of security researchers to uncover vulnerabilities affecting large and wealthy tech giants.
On Wednesday, Microsoft published a blog post criticizing the researcher, who says “Nightmare Eclipse”, for publicly revealing a number of bugs, such as BlueHammer, RedSun, UnDefendand YellowKey. The flaws affected products such as Windows Defender’s built-in antivirus engine and the BitLocker disk encryption tool.
The core of Microsoft’s complaints is that the researcher didn’t try to report the bugs so the company could fix them. That would be “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities revealed by Nightmare Eclipse have since been used by hackers in real attacks, according to Microsoft, as well as the US cybersecurity agency CISA.
“Our Digital Crimes Unit will continue to prosecute these actors and those who enable their criminal activity — coordinating as necessary with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit is tasked with protecting the company through different strategies, including “civil lawsuits, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website).
In one blog series Nightmare Eclipse published in the past two weeks — without providing many specific details — claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking their account access to the Microsoft Security Response Center, the portal where researchers can report vulnerabilities to the tech giant. The implication of Nightmare Eclipse was that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days, a specific term for security flaws that are unknown to the affected software manufacturer at the time they are discovered or exploited.
The researchers published the bugs in open source repositories GitHub (the property of Microsoft) and GitLab. Researchers’ accounts on these platforms have been banned.
Nightmare Eclipse and Microsoft did not respond to a request for comment.
Cybersecurity veterans warn of a chilling outcome
This public spat brings back a long-standing and still somewhat contentious debate: Do independent security researchers have a duty to ensure that the vulnerabilities they find are patched? And how far should they go to make sure that companies whose products are vulnerable actually fix them?
One part of this debate, which has been fully settled and widely acknowledged, is that researchers deserve to be paid for their work. While it may sound obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 titled “No more free bugs.” Nearly 20 years later, most small and large companies pay “bug bounties,” which today can run into six figures or more, to researchers who uncover private bugs and coordinate the publication of their data once the bugs are fixed.
In response to this latest feud with Nightmare Eclipse, countless researchers have shared their bad experiences by reporting bugs to Microsoft. It’s fair to say that much of the cybersecurity community is vocally unhappy with Microsoft’s handling of this issue. That includes cybersecurity veterans like Katie Moussouris, founder of Luta Security, who while working at Microsoft in the mid-to-late 2000s pioneered bug bounties and convinced the tech giant to move away from the concept of “responsible disclosure” by framing the process as “coordinated disclosure.”
“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch, referring to Microsoft’s blog post. “Adding threat of prosecution by reporting [Digital Crimes Unit] was over the top and will only result in security researchers not trusting Microsoft.”
Moussouris warned that the consequences of security researchers losing trust with Microsoft could have the chilling effect of fewer people reporting bugs, “making it less secure for all of us.”
Security researcher and former Microsoft employee Kevin Beaumont he also called out Microsoft in a blog postdescribing the company’s position as a “garbage fire of its own making”.
“Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” Beaumont wrote. “Responsible disclosure is often framed to protect the product owner rather than the customer – using it to try to prosecute people is a new low.”
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
