Microsoft is under scrutiny for its approach to managing zero-day vulnerabilities. A mysterious figure named Nightmare Eclipse, who might be a disillusioned ex-employee, has been clashing with the tech giant by sharing exploit code publicly. This behavior has drawn attention from cybersecurity expert Kevin Beaumont, particularly because of Microsoft’s response to the situation.
In reaction, Microsoft has indicated plans to pursue legal action against Nightmare Eclipse for not adhering to standard procedures in revealing these security flaws. The company has also deactivated the individual’s accounts on GitHub, GitLab, and the Microsoft Security Response Center. Beaumont highlights the irony in this situation, noting that “responsibly” reporting future vulnerabilities becomes a challenge when one is barred from these platforms.
Beaumont finds it concerning that Microsoft has previously employed individuals who engaged in similar activities, including public dissemination of zero-day exploits and those with histories of hacking-related offenses. Moreover, the company has been known to procure exploits from various brokers.
If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.
