A public conflict between Microsoft and a security researcher is sparking renewed debate within the cybersecurity industry regarding vulnerability disclosure rules. The crux of the dispute lies in the researcher's disclosure of multiple vulnerabilities and exploit code before Microsoft had completed fixes. Microsoft has criticized this practice, arguing it could aid attackers, and warned of pursuing legal and enforcement action against the researcher.

Microsoft publicly criticizes the disclosure.

Microsoft published a blog post on Wednesday criticizing a researcher known online as "Nightmare Eclipse" for publicly disclosing multiple vulnerabilities, including BlueHammer, RedSun UnDefend, and YellowKey. These issues involve products such as Windows' built-in antivirus engine Defender and disk encryption tool BitLocker.

Microsoft stated that researchers did not submit the vulnerabilities through normal channels, thus failing to allow the company time to fix them. Microsoft believes that such public disclosures before patching increase the risk of real-world attacks. Microsoft also stated that some of these vulnerabilities were later used by hackers in actual attacks, a situation also mentioned by the U.S. cybersecurity agency CISA.

Microsoft mentions that the criminal transfer sparked a backlash.

In a blog post, Microsoft stated that its digital crime unit will continue to prosecute individuals and those who "aided and abetted its criminal activities," and will coordinate with law enforcement agencies worldwide as needed. This statement is widely interpreted as a legal threat to researchers.

In recent weeks, Nightmare Eclipse has stated in his blog that he contacted Microsoft but was mistreated, including Microsoft revoking his Microsoft Security Response Center account. This account was originally used to submit vulnerability reports to Microsoft. The researcher suggests that he only chose to publicly disclose the vulnerability after communication channels were blocked.

Publicly available information shows that these vulnerability details were posted on GitHub and GitLab, and the relevant accounts were subsequently banned. GitHub is currently owned by Microsoft.

Security circles are worried about the chilling effect.

This controversy quickly sparked discontent within the security research community. The core of the debate is not new: after an independent researcher discovers a vulnerability, must they ensure that the vendor completes the fix? And if the vendor mishandles it, how much responsibility should the researcher bear?

Bug bounties and coordinated disclosure mechanisms were originally established to mitigate such conflicts. Today, most large tech companies offer bonuses to researchers who report vulnerabilities privately and coordinate the public release of details after a vulnerability is fixed.

Katie Moussouris, founder of Luta Security who previously championed Microsoft's bug bounty program, told TechCrunch that Microsoft's continued use of phrases like "responsible disclosure" easily shifts the blame onto researchers; coupled with the mention of the digital crime unit, this could further erode researchers' trust in Microsoft.

She warned that if researchers are no longer willing to report vulnerabilities to Microsoft, more security issues will remain out of the public eye, ultimately increasing the overall risk. Kevin Beaumont, a former Microsoft employee and current security researcher, also publicly criticized Microsoft's handling of the situation, stating that the company's direct linking of exploit code to "criminal activity" was a public relations and trust crisis caused by its own mishandling.