Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that theyâre a disgruntled former employee. But what caught cyber security researcher Kevin Beaumontâs eye was how Microsoft has responded.
Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow âproper coordinationâ in disclosing vulnerabilities. They also disabled Nightmare Eclipseâs GitHub, GitLab, and Microsoft Security Response Center accounts disabled. As Beaumont points out, âItâs quite difficult to âresponsiblyâ report future vulnerabilities when you have been banned.â
What troubles Beaumont is that Microsoft has hired people who have done many of the exact same things. Theyâve employed people who have publicly posted zero-day exploits, some with criminal hacking convictions on their record. Microsoft has also purchased exploits from brokers.
If Microsoftâs tactic is to try to criminalise not following often arbitrary âresponsible disclosureâ frameworks, good luck defending that in court â because thereâs a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.
Read the full article here
