After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft’s veiled threat reignites a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants.
On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender, and the disk-encryption tool BitLocker.
The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA.
“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit has the mission of protecting the company through different strategies, including “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website).
In a series of blogs published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant …