Microsoft is threatening criminal prosecution against a researcher known as Nightmare Eclipse for publicly disclosing zero-day exploits without following the company's coordinated vulnerability disclosure process. Microsoft also disabled the researcher's GitHub, GitLab, and Microsoft Security Response Center accounts.
Cybersecurity researcher Kevin Beaumont flagged Microsoft's official response as the real story here. The company's position frames legal action as a customer protection measure, but Beaumont calls it a dumpster fire of Microsoft's own making. Some of Nightmare Eclipse's posts suggest a disgruntled former employee with insider knowledge, which raises the stakes on both sides.
The full piece is worth reading for Beaumont's technical breakdown of what Microsoft's stance actually means for responsible disclosure norms industry-wide. If a company can criminalize researchers and nuke their accounts for going public, the incentive structure for reporting bugs shifts in ways that hurt everyone except the attackers.
[READ ORIGINAL →]