Microsoft is under fire for threatening a security researcher with a criminal investigation

After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is threatening to take legal action and call the police. Microsoft’s hidden security threat is reigniting a long-running debate over what responsibility, if any, security researchers have to uncover threats that affect large and wealthy tech giants.

Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly revealing a number of problems, including BlueHammer, RedSun, Do not protectand YellowKey. The flaws affected things like Windows Defender’s antivirus engine and the disk-encryption tool BitLocker.

The root cause of Microsoft’s complaint is that the researcher did not attempt to report the bugs so that the company could fix them. This would be “official,” as Microsoft’s blog said. Part of the company’s argument is that by publishing details about bugs and how to use them before they were patched, Nightmare Eclipse may have helped malicious hackers. Some of the vulnerabilities Nightmare Eclipse has uncovered have been used by hackers in real-world situations, according to Microsoft, as well as the US cybersecurity agency CISA.

“Our Digital Crimes Unit will continue to prosecute those involved in these crimes and those who support them – liaising as necessary with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit is tasked with protecting the company through a variety of methods, including “civil litigation, technical countermeasures, criminal referrals, and public relations,” according to his website).

In a blog list published in the past few weeks – without providing specific details – Nightmare Eclipse says it contacted Microsoft, but the company allegedly harassed them, including returning access to their Microsoft Security Response Center account, a place where researchers can report threats to the technology giant. Nightmare Eclipse’s meaning was that he had no choice but to release those weaknesses in the open, which meant that at that time he was. zero daysthe exact time of security flaws that are not known to the developer of the affected software at the time of disclosure or use.

The researchers published the bug on the open source site GitHub (for Microsoft) and GitLab. Accounts of researchers on those platforms have been banned.

Nightmare Eclipse and Microsoft did not respond to requests for comment.

Cybersecurity activists have warned against the cold

This public debate reignites a long-running and controversial debate: Do independent security researchers have a responsibility to ensure that the vulnerabilities they find are closed? And how far should they go to ensure that companies whose products are at risk get it fixed?

One side of the debate, which has been well-settled and well-known, is whether researchers should be paid for their work. Although it may sound obvious today, it took years of struggle, which was taken in part during the campaign launched in 2009 called “No More Bugs Free.” Almost 20 years later, many small and large companies pay financial “goodies”, which today can reach six figures or more, to researchers who secretly reveal bugs and share the details of their fixes.

In response to the recent controversy with Nightmare Eclipse, countless researchers shared his experience reporting errors to Microsoft. It’s fair to say that many in the cybersecurity community are unhappy with Microsoft’s handling of the matter. This includes cybersecurity activists, such as Luta Security founder Katie Moussouris, who worked at Microsoft in the mid-to-late 2000s and pioneered and convinced the tech giant to move away from the concept of “reasonable disclosure” by labeling the policy as “joint disclosure.”

“Mentioning the word ‘decent’ disclosure was a first in my book,” Moussouris told TechCrunch, referring to Microsoft’s post. “Increasing the risk of being sued by saying that (the Digital Crimes Unit) was over the top, and it will only make security researchers distrust Microsoft.”

Moussouris warned that the result of security researchers losing confidence in Microsoft could lead to fewer people coming forward to report bugs, “it will be safer for all of us.”

Security researcher and former Microsoft employee Kevin Beaumont he also called out Microsoft in a blog postdescribing the company’s position as a “self-made fire engine.”

“Evidence of the creation of ideas and distribution of zero days is a ‘criminal activity’ now?” wrote Beaumont. “Reasonable disclosures are often made to protect the product owner, not the customer – using it to try to prosecute people is a new low.”