The researcher hasexpressed deep disgruntlementwith Microsoft, accusing the company of humiliating them, ignoring their communications, failing to compensate them for reported vulnerabilities, and publicly defaming them.Microsoft, on the other hand, is unhappy with Nightmare Eclipse’s approach, saying the researcher exposed customers to unnecessary risk.The company disabled the researcher’s account on its vulnerability reporting portal and on GitHub, where the PoC exploits had been released and which Microsoft owns.“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in ablog postdated May 27.The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Microsoft, on the other hand, is unhappy with Nightmare Eclipse’s approach, saying the researcher exposed customers to unnecessary risk.The company disabled the researcher’s account on its vulnerability reporting portal and on GitHub, where the PoC exploits had been released and which Microsoft owns.“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in ablog postdated May 27.The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
The company disabled the researcher’s account on its vulnerability reporting portal and on GitHub, where the PoC exploits had been released and which Microsoft owns.“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in ablog postdated May 27.The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in ablog postdated May 27.The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumontcommented.Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Florian Roth, head of research at Nextron Systems,noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
In response to the backlash, Microsoft issuedclarificationsvia X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”In response to Microsoft’s post, Nightmare Eclipsesuggestedon X that the company did file legal action against them over the disclosures.The researcher plans on releasing a full BitLocker bypass later this month.Related:Oracle WebLogic Vulnerability Exploited in the WildRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Source: SecurityWeek
