Microsoft under fire for threatening researcher with criminal investigation
Former employees and industry experts warn that legal threats against independent researchers damage trust and compromise digital security.
Microsoft has drawn sharp criticism from the cybersecurity community after threatening legal action against an independent security researcher known as “Nightmare Eclipse” for publicly disclosing unpatched vulnerabilities in Windows Defender and BitLocker. The company accused the researcher of aiding malicious hackers by releasing exploit code before the flaws were fixed, while the researcher alleged that Microsoft mistreated them and revoked their reporting access, forcing public disclosure.
On Wednesday, Microsoft published a blog post criticising the researcher for disclosing a series of bugs, including BlueHammer, RedSun UnDefend, and YellowKey. The firm’s Digital Crimes Unit stated it would continue bringing cases against these actors and those that enable their criminal activity, coordinating with law enforcement around the world. Microsoft and the U.S. cybersecurity agency CISA noted that some of the vulnerabilities disclosed have reportedly been used by hackers in real-world attacks.
Nightmare Eclipse claimed in a series of blogs published in the last couple of weeks that they had been in contact with Microsoft but were allegedly mistreated, including having their Microsoft Security Response Center account access revoked. The researcher published the bugs on open source repositories GitHub, which is owned by Microsoft, and GitLab; their accounts on those platforms have since been banned.
The incident reignites a long-running debate over the responsibility of security researchers to disclose vulnerabilities affecting large tech giants. There is a widely recognized consensus that researchers deserve financial compensation for their work, a shift from the “No More Free Bugs” campaign launched in 2009. Most companies now pay “bug bounty” rewards, which can reach six figures or more, for privately disclosing bugs and coordinating publication once they are fixed.
Katie Moussouris, while working at Microsoft in the mid-to-to-late 2000s, pioneered bug bounties and convinced the company to move away from “responsible disclosure” in favour of “coordinated disclosure.” Industry experts, including former Microsoft employee Katie Moussouris, condemned the threat of prosecution as counterproductive and damaging to trust between researchers and tech giants. The term “zero-day” refers to security flaws that are unknown to the software maker at the time they are disclosed or exploited.
Microsoft and Nightmare Eclipse did not respond to a request for comment.
