Microsoft faces backlash after a blog post implied criminal referral and legal action against security researcher Nightmare Eclipse over public bug disclosures
After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them …
TechCrunch Lorenzo Franceschi-Bicchierai
Related Coverage
- A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure microsoft.com
- Disgruntled 0-day hunter ‘humiliated’ by Microsoft pledges ‘bone shattering drop’ as Redmond calls cops The Register · Jessica Lyons
- Microsoft hits out over irresponsible vulnerability disclosure ComputerWeekly.com · Alex Scroxton
- Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more The Record · Alexander Martin
- Microsoft Calls the Zero-Day Dumps Irresponsible. The Researcher Says Microsoft Started It. Security Affairs · Pierluigi Paganini
- Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar PCMag · Michael Kan
- Microsoft has broken the good-faith disclosure social contract. — https://techcrunch.com/... @munin@infosec.exchange
- NEW: Microsoft is so mad that a researcher published a handful of zero-days, and code to exploit them, that it is threatening legal action and even calling the cops on them. — Yes, it's 2026, and one of the richest companies in the world is beefing about the ethics of disclosing bugs. … @lorenzofb@infosec … · Lorenzo Franceschi-Bicchierai
Discussion
-
@arekfurt
@arekfurt
on x
Working at MSRC handling vuln reports has to be one of the most utterly thankless jobs in tech. You have to find incredibly important reports in a crush of crap while retroactively justifying the decisions of product teams on what to fix when using flawed servicing guidelines.
-
@zackkorman
Zack Korman
on x
Microsoft will do anything to stop people posting zero days except fix MSRC. [image]
-
@rootsecdev
@rootsecdev
on x
Last time I dealt with MSRC. Responsibly disclosed an issue with legacy auth that allowed me to spray passwords at <redacted endpoint> and avoid smart lockout. Receives email.. 5 months after initial case opening. “Doesn't meet the bar for servicing” Microsoft silently
-
@gabriellandau
Gabriel Landau
on x
My last submission to MSRC was for a Device Guard bypass. I learned my lesson from prior drawn-out submissions, so I included a 90 day window this time. MSRC responded saying that it met their bar and they would fix it, but asked me to withhold disclosure well past 90 days
-
@nathanmcnulty
Nathan McNulty
on x
Since everyone is sharing MSRC stories 🙃 I had a PrivEsc from User Admin, a role many give helpdesk or HR, to Global Admin MSRC: Not a vulnerability, requires a built-in Microsoft app in the tenant to exploit Also MSRC: It's a vulnerability when someone else submits it🤷♂️
-
@vxunderground
@vxunderground
on x
Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff https://www.microsoft.com/...
-
@spidermorpheus
@spidermorpheus
on x
This is important. MSRC is probably the loudest worst case but check any bug hunter and they will have a myriad of cases where vendors act in bad faith. Doing the righteous thing is good but unfortunately it does not pay the bills. We need to understand as a society that if we
-
@vxunderground
@vxunderground
on x
Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point. This Eclipse guy has really rocked the boat for Microsoft. [image]
-
@zodttd
@zodttd
on x
Microsoft ridiculed a researcher reporting very serious bugs to them, deleted his account, and no bug bounties were paid. These should be high payouts. Now $MSFT is threatening legal action and speaking as if a researcher's proof of concept code is illegal. This is because the
-
@hackinglz
Justin Elze
on x
Few things unite the security community more than collectively dragging MSRC.
-
@wdormann
@wdormann
on x
Since we're all sharing MSRC stories: Once at the CERT/CC I got the CVE ID for a public case and published the ID before Microsoft had an update released for it. MSRC was very mad at me because in their minds CVE IDs are used to identify Patch Tuesday updates, and are secret.
-
@kimmydotzip
@kimmydotzip
on x
[image]
-
Nikhil Mittal
Nikhil Mittal
on linkedin
They have dropped the facade built over the last decade. — https://lnkd.in/...
-
Jessica Lyons
Jessica Lyons
on linkedin
“The bugs are Microsoft's,” Luta Security CEO Katie Moussouris told me. “They wrote the code and they own the risk to customers. …
-
@zackwhittaker@mastodon.social
Zack Whittaker
on mastodon
NEW: Microsoft is facing heavy criticism from the cybersecurity community for threatening to take legal action and call the cops on a security researcher who published unpatched bugs online. — Cybersecurity veterans warned that Microsoft's approach here could result in a chilli…