Microsoft Faces Backlash for Threatening Security Researcher Over Exploit Disclosure

Key Takeaway

Microsoft’s legal threat against researcher Nightmare Eclipse highlights tensions in the security community over ‘responsible disclosure’ practices, especially given the company’s own history of hiring individuals with similar backgrounds.

The Dispute

Microsoft is facing backlash after threatening a security researcher known as Nightmare Eclipse with criminal investigation for publicly posting proof-of-concept exploit code. The researcher, who claims to be a disgruntled former employee, has been feuding with the company by disclosing vulnerabilities without following Microsoft’s coordination guidelines.

Microsoft’s Response

In response, Microsoft disabled Nightmare Eclipse’s accounts on GitHub, GitLab, and the Microsoft Security Response Center (MSRC). The company has indicated it plans to pursue legal action for failing to follow proper disclosure protocols. Security researcher Kevin Beaumont criticized Microsoft’s approach, noting, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”

Hypocrisy Concerns

Beaumont and others point out that Microsoft has hired individuals who have publicly posted zero-day exploits in the past, some with criminal hacking convictions. The company has also purchased exploits from brokers. This raises questions about the fairness of targeting Nightmare Eclipse while overlooking similar behavior by others.

Broader Implications

Experts argue that Microsoft’s stance could chill legitimate security research. The tech giant’s inconsistent history with vulnerability disclosures may weaken its legal position if the case proceeds to court.

Bu haberi paylaş: Twitter WhatsApp