Microsoft is under fire for threatening a security researcher with a criminal investigation

After a security researcher published a series of bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft’s backdoor threat is sparking a long-running debate about what responsibility, if any, security researchers have to disclose vulnerabilities affecting large, wealthy tech giants.

Wednesday Microsoft Published a blog post The researcher, dubbed ‘Nightmare Eclipse’, has been criticized for publicly revealing a series of errors, including… Bluehammer, Red Sun Cancel defenseand Yellow key. The flaws affected products such as the antivirus engine built into Windows Defender and the BitLocker disk encryption tool.

The gist of Microsoft’s complaints is that the researcher didn’t try to report the bugs so the company could fix them. This would have been a “responsible” thing to do, as Microsoft’s blog put it. The other side of the company’s argument is that by publishing details of bugs and how to exploit them before patching them, Nightmare Eclipse may have helped malicious hackers. Some of the vulnerabilities revealed by Nightmare Eclipse have since been used by hackers in real-life attacks, according to Microsoft, as well as the US cybersecurity agency CISA.

“Our Digital Crimes Unit will continue to file cases against these actors and those who enable their criminal activity – coordinating as needed with law enforcement authorities around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit’s mission is to protect the company through various strategies, including “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships.”) According to its website).

In a A series of blogs Published in the past two weeks – without providing many specific details – Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal through which researchers can report vulnerabilities to the tech giant. The implication of Nightmare Eclipse was that they had no choice but to release the vulnerabilities publicly, which basically meant that they were at that point… Zero daysa term for security flaws that are unknown to the maker of the affected software at the time they are disclosed or exploited.

Researchers published the bugs in open source repositories github (owned by Microsoft), and getlab. The researchers’ accounts were blocked on those platforms.

Nightmare Eclipse and Microsoft did not respond to a request for comment.

Cybersecurity veterans warn of the chilling effect

This public disagreement brings back a long-standing and still somewhat controversial debate: Do independent security researchers have a duty to ensure that the vulnerabilities they find are fixed? How far are they supposed to go to make sure that companies whose products are at risk actually fix them?

One part of this debate, which is fully settled and widely acknowledged, is that researchers deserve to get paid for their work. Although it may seem obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 called “No more free bugsNearly twenty years later, most companies small and large pay financial rewards called “bug bounties,” which today can reach six figures or more to researchers who privately uncover bugs and coordinate the publication of their details once the bugs are fixed.

In response to this recent controversy with Nightmare Eclipse, Countless researchers They shared their bad experiences in reporting bugs to Microsoft. It’s fair to say that much of the cybersecurity community is publicly unhappy with how Microsoft has handled this issue. This includes cybersecurity experts, like Luta Security founder Katie Moussouris, who pioneered bug bounties while working at Microsoft in the mid-to-late 2000s, and convinced the tech giant to move away from the concept of “responsible disclosure” by framing the process as “Coordinated detection“.

“Calling the term ‘responsible’ disclosure was a first strike in my book,” Moussouris told TechCrunch, referring to a Microsoft blog post. “Adding the threat of prosecution by mentioning the ‘Digital Crimes Unit’ was overblown and will only cause security researchers to distrust Microsoft.”

Moussouris warned that the consequences of security researchers losing trust with Microsoft could have the chilling effect of fewer people coming forward to report bugs, “making it less safe for all of us.”

Security researcher and former Microsoft employee Kevin Beaumont As Microsoft called out in a blog postHe described the company’s stance as a “dumpster fire of its own making.”

“…proof of concept creating and distributing zero-day exploits is ‘criminal activity’ now?” Beaumont wrote. “Often, responsible disclosure is in place to protect the product owner, not the customer — and using it to try to prosecute people criminally is a new low.”