Microsoft Faces Backlash Over Criminal Probe Threat Against Security Researcher

hero windef redsun
Windows 11 has been hit by a series of zero-day exploits recently, which were brought to light by aggrieved cybersecurity researcher Nightmare-Eclipse. In response, Microsoft published a blog post threatening legal action against the researcher, after taking his exploits down from GitHub. And that move has spurred widespread outcry from the cybersecurity research community.

Regarding current threat level to the public, Nightmare-Eclipse's GreenPlasma and MiniPlasma exploits have yet to be patched. All four of the other exploits (RedSun, UnDefend, BlueHammer, and YellowKey) have been handled by Microsoft already, but the company is obviously unhappy that its hand was forced on the matter.

There are mixed opinions regarding Nightmare-Eclipse's actions, even from those critical of Microsoft's handling of the situation. Former Microsoft employee Kevin Beaumont quoted by TechCrunch has called the situation "a dumpster fire" of Microsoft's own making and he called the legal threat to posting zero-days "a new low." Beaumont cites a long history of Microsoft hiring researchers publishing zero-days, even those with criminal convictions and one who would "repeatedly talk" about selling exploits to Russia and Iran while working there. He does also points out that he doesn't support Nightmare-Eclipse's actions, stating it "feels weird" and that there's presumably more going on than is known.

The community response has been vicious, to say the least.

I find the situation difficult to assess without full disclosure from Nightmare-Eclipse and Microsoft. In my original coverage of RedSun, BlueHammer, and UnDefend, I noted the extreme language used by Nightmare-Eclipse, up to and including allegations Microsoft had knowingly ruined his life and made him homeless after violating an unknown agreement.

But I do find the backlash against Microsoft concerning. "Responsible (coordinated) disclosure" as we know it today only exists thanks to companies like Microsoft paying researchers for finding and privately reporting exploits rather than publicly posting them or selling them to criminals and foreign governments. While Nightmare-Eclipse's motivation is likely out of spite, they're still in line with things that Microsoft and other Big Tech companies would previously hire the responsible party for finding.

In a quote to TechCrunch, former Microsoft employee and Luta Security founder Katie Moussouris outright decries the move from Microsoft as "over the top, and will only result in security researchers distrusting Microsoft, [...] making it less safe for all of us."
Chris Harper

Chris Harper

Christopher Harper is a tech writer with over a decade of experience writing how-tos and news. Off work, he stays sharp with gym time & stylish action games.