Microsoft Faces Backlash Over Handling of Zero-Day Vulnerability Disclosures
Microsoft is facing criticism from the cybersecurity community over its handling of vulnerability disclosures. A researcher operating under the name "Nightmare Eclipse" has been publicly posting proof-of-concept exploit code and appears to be involved in a dispute with the company, with some posts suggesting they may be a disgruntled former employee.
Security researcher Kevin Beaumont highlighted Microsoft's response, which includes suggesting it may bring a criminal case against the researcher for allegedly failing to follow proper coordination procedures when disclosing vulnerabilities. In addition to the legal threats, Microsoft has disabled Nightmare Eclipse's accounts on GitHub, GitLab, and the Microsoft Security Response Center.
The situation raises questions about how companies handle vulnerability disclosure and researcher relationships, particularly when disclosures occur outside of official channels. The incident adds to ongoing debates within the security community about the balance between responsible disclosure practices and researchers' rights to publish findings.