Microsoft threatens legal action after researcher publishes unpatched bugs with exploit code
Microsoft under fire over disclosure dispute
Microsoft is facing criticism after warning that it may pursue legal action and involve law enforcement against a security researcher who publicly disclosed a series of unpatched vulnerabilities in its products, along with proof-of-concept exploit code.
In a blog post published Wednesday, the company criticized the researcher, who uses the handle “Nightmare Eclipse,” for publishing details of bugs it says affected products including Windows Defender and BitLocker. Microsoft said the disclosure was not “responsible” because the flaws had not been patched before the information was made public.
The company’s response has reignited a long-running debate over how security researchers should handle vulnerabilities in major software platforms, especially when the flaws affect widely used tools from a company with Microsoft’s resources.
Microsoft said some of the vulnerabilities disclosed by Nightmare Eclipse have since been used by hackers in real-world attacks, according to the company and the U.S. cybersecurity agency CISA. It also said its Digital Crimes Unit will continue to pursue cases against those it believes contribute to criminal activity, including through coordination with law enforcement.
Nightmare Eclipse, in a series of blog posts over the past couple of weeks, claimed to have been in contact with Microsoft and said the company mistreated them. The researcher alleged Microsoft revoked access to their Microsoft Security Response Center account, the portal researchers use to report vulnerabilities. That, the researcher suggested, left public disclosure as the only option.
The bugs were then published on open source repositories, where they were accompanied by code intended to demonstrate how they could be exploited. Once disclosed without patches in place, the issues became zero-days — flaws unknown to the software maker at the time of disclosure or exploitation.
Microsoft’s criticism centers on the argument that the researcher should have reported the bugs privately first. The researcher’s position, as presented in the blog posts, is that Microsoft’s handling of the situation left them no meaningful path to responsible disclosure. The dispute now places Microsoft’s security response process under scrutiny, while raising fresh questions about where the line falls between public-interest research and conduct that can aid attackers.
Sources:
Browse privately with Doppler VPN — no logs, one tap connect.