SUMMARYMicrosoft is criticizing a security researcher known as Nightmare Eclipse for publicly disclosing multiple unpatched vulnerabilities in its products, including Defender and BitLocker, along with exploit code. The company says the disclosures were irresponsible because they were not first reported for repair and may have helped attackers, while the researcher claims Microsoft mistreated them and revoked access to its reporting portal. The dispute has led to bans on GitHub and GitLab accounts and sparked broader complaints from other researchers about Microsoft’s bug reporting process.
"A security researcher published a series of unpatched bugs in Microsoft products," reports TechCrunch, "along with code to exploit them."
Microsoft's response to the researcher? "Threatening to take legal action and call the cops on them."
On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle "Nightmare Eclipse," for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.
The core of Microsoft's complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been "responsible," as Microsoft's blog put it. The other side of the company's argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA. "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity - coordinating as needed with law enforcement around the world," Microsoft wrote...
In a series of blog posts published in the last couple of weeks - without providing many specific details - Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse's implication was that they had no choice but to release the vulnerabilities publicly... The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers' accounts on those platforms have been banned...
In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft.
Thanks to long-time Slashdot reader Elektroschock for sharing the news.