Microsoft is facing criticism for its handling of zero-day exploits. Someone named Nightmare Eclipse is publicly feuding with the company and posting proof-of-concept exploit code. Some of his posts suggest that he is a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont’s attention was how Microsoft responded.
Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow “reasonable coordination” in disclosing the vulnerabilities. They also disabled Nightmare Eclipse’s GitHub, GitLab, and Microsoft Security Response Center accounts. As Beaumont explains, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you’ve been banned.”
The problem for Beaumont is that Microsoft has hired people who have done many of the same jobs. They have employed people who have publicly posted zero-day exploits, some of whom have criminal hacking charges on their records. Microsoft has also purchased exploits from brokers.
If Microsoft’s strategy is to try to criminalize not following the often arbitrary “responsible disclosure” framework, good luck defending it in court – because there’s a whole clown car of prior decision-making within Microsoft and the facts that will emerge in that process.
<a href