Following the disclosure of a series of unaddressed vulnerabilities in Microsoft products by a security researcher, who also shared exploit code, the company has threatened to initiate legal proceedings and involve law enforcement. This implicit warning revives a protracted discussion regarding the obligations, if any, security researchers hold in revealing vulnerabilities that impact large and affluent technology corporations.

On Wednesday, Microsoft released a blog post denouncing the researcher, known as “Nightmare Eclipse,” for making public a sequence of flaws, including BlueHammer, RedSun, UnDefend, and YellowKey. These vulnerabilities impacted products like the built-in Windows antivirus Defender and the disk-encryption utility BitLocker. 

Microsoft’s main grievance is that the researcher did not try to inform the company about the flaws for remediation. This would have been deemed “responsible,” according to the blog post from Microsoft. Furthermore, the company argues that by revealing the details of the vulnerabilities and the methods to exploit them prior to their remedy, Nightmare Eclipse might have assisted malicious hackers. Some vulnerabilities that Nightmare Eclipse reported have reportedly been exploited by hackers in actual attacks, as stated by Microsoft and the U.S. cybersecurity agency CISA.

“Our Digital Crimes Unit will carry on pursuing actions against these individuals and those who facilitate their illicit activities — collaborating with law enforcement globally as necessary,” Microsoft stated. (The goal of Microsoft’s Digital Crimes Unit is to safeguard the company employing various strategies, such as “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website).

In a series of blog posts over the past few weeks — lacking specific details — Nightmare Eclipse alleged to have communicated with Microsoft, but claimed they faced mistreatment, such as having their access to their Microsoft Security Response Center account revoked, which is the platform where researchers report vulnerabilities to the tech giant. Nightmare Eclipse suggested that they were compelled to disclose the vulnerabilities publicly, effectively categorizing them as zero-days, a term denoting security issues that are unknown to the affected software maker at the moment of their disclosure or exploitation.

The bugs were made public on open source repositories GitHub (owned by Microsoft) and GitLab. Accounts belonging to the researchers on those platforms have been disabled. 

Neither Nightmare Eclipse nor Microsoft responded to inquiries for comments. 

Cybersecurity experts caution against chilling effect

This public conflict resurrects a longstanding and still somewhat contentious debate: Do independent security researchers have an obligation to ensure that the vulnerabilities they discover are addressed? And how far are they expected to go to guarantee that the companies whose products are vulnerable actually rectify them? 

One aspect of this discussion, which has been definitively established and broadly accepted, is that researchers ought to be compensated for their contributions. While this may seem obvious in contemporary times, it took years of effort, highlighted by a campaign launched in 2009 dubbed “No More Free Bugs.” Nearly two decades later, the majority of companies, regardless of size, offer “bug bounty” financial incentives, which can amount to six figures or more to researchers who privately disclose vulnerabilities and coordinate the publication of their particulars once the issues are resolved.

In light of the latest incidents involving Nightmare Eclipse, numerous researchers have relayed their negative experiences when reporting vulnerabilities to Microsoft. It is fair to assert that a significant portion of the cybersecurity community is openly dissatisfied with Microsoft’s approach to this matter. This sentiment is echoed by cybersecurity veterans, including Luta Security founder Katie Moussouris, who during her tenure at Microsoft in the mid- to late 2000s developed bug bounties and persuaded the technology giant to shift from the notion of “responsible disclosure” to framing the process as “coordinated disclosure.”

“Referring to ‘responsible’ disclosure was the first misstep in my opinion,” Moussouris remarked to TechCrunch, in reference to Microsoft’s blog post. “Adding the threat of prosecution by mentioning [Digital Crimes Unit] was excessive, and will only result in security researchers losing trust in Microsoft.”

Moussouris cautioned that the ramifications of security researchers losing confidence in Microsoft could lead to a chilling effect, resulting in fewer individuals coming forward to report vulnerabilities, “making it less safe for everyone.”

Security researcher and former Microsoft staff member Kevin Beaumont also criticized Microsoft in a blog post, describing the company’s position as a “dumpster fire of its own making.” 

“Is creating and disseminating proof of concept exploits for zero days now ‘criminal activity’?” Beaumont wrote. “Responsible disclosure is often framed to safeguard the product owner, not the consumer — using it to attempt to criminally prosecute individuals is a new low.”