The company is now threatening to take legal action and call the police after security researchers published a series of unpatched bugs in Microsoft products and code to exploit them. Microsoft's veiled threat reignites a long-standing debate over what liability security researchers should bear if they are required to disclose vulnerabilities that affect large and wealthy tech giants.
Microsoft on Wednesday published a blog post criticizing a researcher who goes by the handle “Nightmare Eclipse” for disclosing a series of bugs including BlueHammer, RedSun UnDefend, and YellowKey. The flaw affected products such as Windows' built-in antivirus engine Defender and the disk encryption tool BitLocker.
At the heart of Microsoft's complaint is that the researchers did not attempt to report the bugs so the company could fix them. That would have been the “responsible” thing to do, as Microsoft's blog says. The other side of the company's argument is that Nightmare Eclipse may have helped malicious hackers by publishing details of the bug and how to exploit it before it was patched. Some of the vulnerabilities exposed by Nightmare Eclipse have since been used by hackers in real-world attacks, according to Microsoft and the US cybersecurity agency CISA.
“Our Digital Crimes Unit will continue to prosecute these actors and those who enable their criminal activity, working with law enforcement agencies around the world as necessary,” Microsoft wrote. (Microsoft's Digital Crimes Division is tasked with protecting the company through a variety of strategies, including “civil litigation, technological countermeasures, criminal referrals, and public-private partnerships,” according to its website.)
In a series of blogs published in recent weeks (without providing many specific details), Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center accounts, a portal where researchers can report vulnerabilities to the tech giant. The implication of Nightmare Eclipse was that they had no choice but to publicly disclose the vulnerability, which essentially meant that at the time the vulnerability was a zero-day (a specific term for a security flaw that was unknown to the affected software manufacturer at the time it was disclosed or exploited).
The researchers published the bug on the open source repositories GitHub (owned by Microsoft) and GitLab. The researchers' accounts on these platforms were banned.
Nightmare Eclipse and Microsoft did not respond to requests for comment.
Cybersecurity veteran warns of chilling effect
This public spat is reminiscent of a long-running, and still somewhat controversial, debate. Are independent security researchers obligated to ensure that the vulnerabilities they discover are fixed? And how far should they go to ensure that companies with vulnerabilities in their products can actually fix them?
One part of this debate that is completely settled and widely recognized is that researchers have a right to be compensated for their work. It may seem obvious now, but it took years of hard work, some of which was captured during a campaign launched in 2009 called “No More Free Bugs.” Almost 20 years later, most companies, large and small, now offer financial rewards called “bug bounties.” Today, the sums can reach upwards of six figures for researchers who privately disclose bugs and then coordinate the publication of the details after the bug has been fixed.
In response to this latest controversy regarding Nightmare Eclipse, countless researchers shared their bitter experiences reporting bugs to Microsoft. It's safe to say that many in the cybersecurity community are vocally dissatisfied with Microsoft's response to this issue. This includes cybersecurity veterans like Katie Moussouris, founder of Luta Security. While working at Microsoft in the mid-to-late 2000s, he pioneered the bug bounty system and convinced the tech giant to move away from the concept of “responsible disclosure” by framing the process as “coordinated disclosure.”
“Bringing up the term 'responsible' disclosure was the first attack on my book,” Moussoulis told TechCrunch, referring to Microsoft's blog post. “Mention and threaten prosecution.” [Digital Crimes Unit] That would be overkill and would only make security researchers mistrust Microsoft. ”
Moussouris warned that security researchers' loss of trust in Microsoft could have a chilling effect as fewer people report bugs, making it “less secure for all of us.”
Kevin Beaumont, a security researcher and former Microsoft employee, also criticized Microsoft in a blog post, calling the company's position a “self-inflicted dumpster fire.”
“…is the creation and zero-day distribution of a proof-of-concept exploit now a 'criminal act'?” Beaumont wrote. “Responsible disclosure is too often aimed at protecting product owners rather than customers, and its use to criminally prosecute people is at an all-time low.”
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.