Microsoft under fire for threatening security researcher with criminal investigation

Microsoft is facing backlash for threatening to take legal action and involve law enforcement against a security researcher who published a series of unpatched bugs in Microsoft products, along with code to exploit them. The researcher, known as "Nightmare Eclipse," published the bugs, including BlueHammer, RedSun UnDefend, and YellowKey, which affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker. Microsoft criticized Nightmare Eclipse for not reporting the bugs to the company before disclosing them publicly.

The company argued that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities have since been used by hackers in real-world attacks, according to Microsoft and the U.S. cybersecurity agency CISA.

In response, Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account. Nightmare Eclipse implied that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days. The researcher published the bugs on open-source repositories GitHub and GitLab, but their accounts on those platforms have been banned.

The public spat has reignited a long-running debate over whether independent security researchers have a duty to ensure that the vulnerabilities they find get fixed. The cybersecurity community is vocally unhappy with how Microsoft is handling the issue, with many researchers sharing their bad experiences reporting bugs to the company. Cybersecurity veterans, such as Luta Security founder Katie Moussouris, have spoken out against Microsoft's approach, warning that it could result in a chilling effect of fewer people coming forward to report bugs.

"Invoking the term 'responsible' disclosure was the first strike in my book," Moussouris told TechCrunch. "Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft." Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, "making it less safe for all of us." Security researcher and former Microsoft employee Kevin Beaumont also called out Microsoft in a blog post, describing the company's position as "a dumpster fire of its own making." "...Proof of concept exploit creation and distribution for zero days is 'criminal activity' now?" wrote Beaumont. "Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low."