Microsoft Patches Zero-Days Disclosed by Feuding Researcher

Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant. Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

"But someone violated our agreement and left me homeless with nothing," Nightmare Eclipse wrote in March. "They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine." The public feud between Microsoft and Nightmare Eclipse highlights the sometimes contentious relationship between tech giants and security researchers. Researchers often rely on bug bounty programs and other arrangements to disclose vulnerabilities, but disagreements can arise when terms aren't met.

Why this matters: The patching of these zero-days is a relief for Microsoft users, but the public spat between Microsoft and Nightmare Eclipse raises questions about the vulnerability disclosure process. As the threat landscape continues to evolve, tech giants must balance the need to fix security flaws with the need to maintain positive relationships with researchers who help identify them. The incident also underscores the importance of clear communication and mutually beneficial agreements between researchers and companies.

With many high-severity vulnerabilities still awaiting disclosure, the way Microsoft and Nightmare Eclipse navigate their feud could set a precedent for future interactions between tech giants and researchers.