Microsoft has initiated a move to pursue criminal action against a security researcher operating under the pseudonym 'Nightmare Eclipse,' marking a significant escalation in a public dispute regarding the disclosure of zero-day vulnerabilities. As part of this enforcement, the company has moved to disable the researcher’s access to the Microsoft Security Response Center, as well as their associated GitHub and GitLab accounts, following the public posting of proof-of-concept exploit code.
While reports suggest the researcher may be a former Microsoft employee, the company has centered its public response on the individual's failure to adhere to 'proper coordination' standards. Microsoft recently issued new guidance emphasizing a shared responsibility model for customer protection, which the company argues was explicitly violated by the researcher’s decision to bypass private reporting channels.
The company’s aggressive legal stance has drawn sharp criticism from cybersecurity expert Kevin Beaumont. Beaumont highlighted what he described as the irony of the situation, noting that Microsoft has previously employed individuals who have publicly disclosed zero-day exploits, including some with past criminal hacking convictions. Furthermore, he pointed out that the company has historically engaged in the practice of purchasing exploits from third-party brokers.
Beaumont questioned the efficacy of Microsoft's current approach, noting that it is difficult for researchers to 'responsibly' report future vulnerabilities once they have been banned from the company's platforms. He warned that if Microsoft attempts to criminalize departures from its 'responsible disclosure' frameworks, it could face a difficult legal battle.
According to Beaumont, the discovery process in such a case would likely expose inconsistent internal practices at the company. He stated, 'If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.'
