Microsoft Threatens Legal Action Over Exploit Disclosure
Microsoft is under fire for its handling of zero-day vulnerabilities, threatening legal action against a security researcher who publicly posted exploit code. The researcher, known as Nightmare Eclipse, has been feuding with the company, sharing proof-of-concept exploits that suggest they may be a disgruntled former employee. This conflict has drawn attention from cybersecurity experts, including Kevin Beaumont, who highlighted Microsoft's aggressive response.
Microsoft's Response to Nightmare Eclipse
Microsoft has indicated plans to pursue a criminal case against Nightmare Eclipse for failing to follow proper coordination in disclosing vulnerabilities. The company also disabled the researcher's accounts on GitHub, GitLab, and the Microsoft Security Response Center. As Beaumont noted, "It's quite difficult to 'responsibly' report future vulnerabilities when you have been banned." This raises questions about the fairness of Microsoft's approach to vulnerability disclosure.
Double Standards in Microsoft's Hiring Practices
What troubles Beaumont is that Microsoft has hired individuals who have publicly posted zero-day exploits in the past, some with criminal hacking convictions. The company has also purchased exploits from brokers. Beaumont argues that if Microsoft tries to criminalize not following its responsible disclosure framework, they will face challenges in court due to their own inconsistent history.
Key Points of Contention
- Legal threats: Microsoft plans to bring a criminal case against Nightmare Eclipse.
- Account bans: The researcher's GitHub, GitLab, and MSRC accounts were disabled.
- Prior hires: Microsoft has employed people who publicly posted zero-day exploits.
- Exploit purchases: Microsoft has bought exploits from brokers in the past.
Implications for Cybersecurity and Responsible Disclosure
This feud highlights the ongoing tension between security researchers and tech companies over responsible disclosure. Microsoft's aggressive stance could discourage researchers from reporting vulnerabilities, potentially leaving systems exposed. Beaumont sums it up: "If Microsoft's tactic is to try to criminalise not following often arbitrary 'responsible disclosure' frameworks, good luck defending that in court — because there's a whole clown car of prior decision making within Microsoft and facts which would emerge in that process."
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
Comment