Microsoft’s public dispute with a security researcher is sparking renewed debate in the cybersecurity industry over vulnerability disclosure policies. The core of the controversy lies in the researcher’s public disclosure of multiple vulnerabilities and exploit code before Microsoft had completed fixes, with Microsoft criticizing this approach as potentially aiding attackers and warning that it will pursue legal and law enforcement avenues.
Microsoft criticizes public disclosure
On Wednesday, Microsoft published a blog post criticizing the researcher known as "Nightmare Eclipse" for publicly disclosing multiple vulnerabilities, including BlueHammer, RedSun UnDefend, and YellowKey. These issues affect Windows' built-in antivirus engine, Defender, as well as disk encryption tools like BitLocker.
Microsoft stated that the researchers did not first submit the vulnerabilities through standard channels to give the company time to patch them. Microsoft believes that such public disclosures before patches are available increase the risk of real-world attacks. Microsoft also noted that some of these vulnerabilities were later exploited by hackers in actual attacks, a situation also referenced by the U.S. cybersecurity agency CISA.
Microsoft mentioned that the criminal referral sparked backlash.
Microsoft wrote in its blog that its Digital Crimes Unit will continue to pursue cases against the actors involved and those "assisting their criminal activities," and will coordinate with global law enforcement agencies as needed. Many outsiders interpret this statement as a legal threat directed at researchers.
Over the past few weeks, Nightmare Eclipse stated on their blog that they had contacted Microsoft but were treated improperly, including the revocation of their Microsoft Security Response Center account privileges, which had been used to submit vulnerability reports. The researcher implied that they chose to publicly disclose the vulnerability only after communication channels were blocked.
Public records show that information about these vulnerabilities was posted on GitHub and GitLab, and the associated accounts have since been banned. GitHub is currently owned by Microsoft.
The security community is concerned about a chilling effect.
The incident quickly sparked dissatisfaction within the security research community. At the heart of the debate is nothing new: whether independent researchers must ensure vendors have fixed vulnerabilities before disclosure, and to what extent researchers should be held responsible if the vendor handles the issue poorly.
Bug bounty and coordinated disclosure programs were originally established to alleviate such conflicts. Today, most major tech companies offer rewards to researchers who privately report vulnerabilities and coordinate the public disclosure of details once the issues have been fixed.
Katie Moussouris, founder of Luta Security and former driver of Microsoft’s vulnerability bounty program, told TechCrunch that Microsoft’s continued use of terms like “responsible disclosure” inherently places the burden of responsibility solely on researchers; mentioning the Digital Crime Unit may further erode researchers’ trust in Microsoft.
She warned that if researchers are no longer willing to report vulnerabilities to Microsoft, more security issues will remain hidden from public view, ultimately increasing overall risk. Kevin Beaumont, a former Microsoft employee and current security researcher, also publicly criticized Microsoft’s approach, stating that the company’s direct linkage of exploit code to “criminal activity” has triggered a public relations and trust crisis caused by its own mismanagement.