Lorenzo Franceschi-Bicchierai<\/p>\n\n\n\n After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft\u2019s veiled threat reignites a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants.<\/p>\n\n\n\n On Wednesday, Microsoft published a blog post<\/a> criticizing the researcher, who goes by the handle \u201cNightmare Eclipse,\u201d for publicly disclosing a series of bugs, including BlueHammer<\/a>, RedSun<\/a>, UnDefend<\/a>, and YellowKey<\/a>. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker. <\/p>\n\n\n\n The core of Microsoft\u2019s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been \u201cresponsible,\u201d as Microsoft\u2019s blog put it. The other side of the company\u2019s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA.<\/p>\n\n\n\n \u201cOur Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity \u2014 coordinating as needed with law enforcement around the world,\u201d Microsoft wrote. (Microsoft\u2019s Digital Crimes Unit has the mission of protecting the company through different strategies, including \u201ccivil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,\u201d according to its website<\/a>).<\/p>\n\n\n\n In a series of blogs<\/a> published in the last couple of weeks \u2014 without providing many specific details \u2014 Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse\u2019s implication was that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days<\/a>, a specific term for security flaws that are unknown to the software maker affected at the time they are disclosed or exploited.<\/p>\n\n\n\n The researchers published the bugs on open source repositories GitHub<\/a> (owned by Microsoft) and GitLab<\/a>. The researchers\u2019 accounts on those platforms have been banned. <\/p>\n\n\n\n Nightmare Eclipse and Microsoft did not respond to a request for comment. <\/p>\n\n\n\n This public spat brings back a long-running and still somewhat controversial debate: Do independent security researchers have a duty to make sure the vulnerabilities they find get fixed? And how far are they supposed to go to make sure the companies whose products are vulnerable actually fix them? <\/p>\n\n\n\n One part of this debate, which has been fully settled and widely recognized, is that researchers deserve to get paid for their work. While it may sound obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 called \u201cNo More Free Bugs<\/a>.\u201d Almost 20 years later, most companies small and large pay \u201cbug bounty\u201d financial rewards, which can today run as high as six figures or more to researchers who privately disclose bugs and coordinate publishing their details once the bugs are fixed.<\/p>\n\n\n\n In response to this latest controversy with Nightmare Eclipse, countless researchers<\/a> have shared their bad experiences reporting bugs to Microsoft. It\u2019s fair to say that much of the cybersecurity community is vocally unhappy about how Microsoft is handling this issue. This includes cybersecurity veterans, such as Luta Security founder Katie Moussouris, who while working at Microsoft in the mid- to late 2000s pioneered bug bounties and convinced the technology giant to move away from the concept of \u201cresponsible disclosure\u201d by framing the process as \u201ccoordinated disclosure<\/a>.\u201d<\/p>\n\n\n\n \u201cInvoking the term \u2018responsible\u2019 disclosure was the first strike in my book,\u201d Moussouris told TechCrunch, referring to Microsoft\u2019s blog post. \u201cAdding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.\u201d<\/p>\n\n\n\n Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, \u201cmaking it less safe for all of us.\u201d<\/p>\n\n\n\nCybersecurity veterans warn of chilling effect<\/h2>\n\n\n\n