After a security researcher published unpatched bugs in Microsoft products - complete with exploit code - the company responded not by fixing them, but by threatening to call the cops. Microsoft's veiled legal threat has reignited the long-running debate about whether security researchers owe anything to trillion-dollar tech giants that can't be bothered to patch their own software.
On Wednesday, Microsoft published a blog post criticizing the researcher known as "Nightmare Eclipse" for publicly disclosing a series of bugs with names like BlueHammer, RedSun UnDefend, and YellowKey - sounds less like security flaws and more like rejected Power Rangers villains. The flaws affected products including the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.
Microsoft's core complaint is that the researcher didn't report the bugs privately so the company could fix them first. That would have been the "responsible" thing to do, according to Microsoft. The company also argues that publishing exploit details before a patch was available may have aided malicious hackers - and indeed, some of the vulnerabilities have since been used in real-world attacks, according to both Microsoft and the U.S. cybersecurity agency CISA.
"Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity - coordinating as needed with law enforcement around the world," Microsoft wrote. The Digital Crimes Unit's mission, according to its website, includes "civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships." So, essentially, they're the corporate version of calling your dad because someone was mean to you.
In a series of blogs published over the last couple of weeks, Nightmare Eclipse claimed they had been in contact with Microsoft but were allegedly mistreated - including having their Microsoft Security Response Center account revoked. Their implication was that they had no choice but to release the vulnerabilities publicly, effectively turning them into zero-days: security flaws unknown to the affected software maker at the time of disclosure.
The researcher published the bugs on GitHub and GitLab - both platforms where their accounts have since been banned. Neither Nightmare Eclipse nor Microsoft responded to requests for comment.
This public spat revives a still-controversial debate: Do independent security researchers have a duty to ensure the vulnerabilities they find get fixed? And how far must they go to make sure the companies whose products are vulnerable actually fix them?
One part of this debate has been settled: researchers deserve to get paid. It took years of struggle - captured partly by the 2009 campaign "No More Free Bugs" - but nearly 20 years later, most companies pay bug bounties that can run six figures or more for private disclosures.
In response to this latest controversy, countless researchers have shared their bad experiences reporting bugs to Microsoft. The cybersecurity community is vocally unhappy. This includes Katie Moussouris, founder of Luta Security, who while working at Microsoft in the mid-to-late 2000s pioneered bug bounties and convinced the company to adopt "coordinated disclosure" instead of "responsible disclosure."
"Invoking the term 'responsible' disclosure was the first strike in my book," Moussouris told TechCrunch. "Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft." She warned that losing researcher trust could create a chilling effect, making "it less safe for all of us."
Security researcher and former Microsoft employee Kevin Beaumont also called out the company, describing its position as a "dumpster fire of its own making." "Proof of concept exploit creation and distribution for zero days is 'criminal activity' now?" wrote Beaumont. "Responsible disclosure quite often is framed to protect the product owner, not the customer - using it to try to criminally prosecute people is a new low."