Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they’re a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont’s eye was how Microsoft has responded.
Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow “proper coordination” in disclosing vulnerabilities. They also disabled Nightmare Eclipse’s GitHub, GitLab, and Microsoft Security Response Center accounts disabled. As Beaumont points out, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”
What troubles Beaumont is that Microsoft has hired people who have done many of the exact same things. They’ve employed people who have publicly posted zero-day exploits, some with criminal hacking convictions on their record. Microsoft has also purchased exploits from brokers.
If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.