Microsoft has come under fire for threatening legal action and police involvement against a security researcher who publicly disclosed several unpatched vulnerabilities in Microsoft products. The researcher, known by the pseudonym 'Nightmare Eclipse', released details of critical security flaws along with exploit code for bugs affecting Windows Defender, BitLocker, and other Microsoft services.
The controversy centres on Microsoft's expectation of 'responsible disclosure', where researchers privately report vulnerabilities to allow companies time to patch them before public release. In a blog post published on Wednesday, Microsoft criticised Nightmare Eclipse for failing to report the bugs—dubbed BlueHammer, RedSun, UnDefend, and YellowKey—through proper channels before making them public. The company warned that its Digital Crimes Unit would pursue legal cases against such actors and those enabling criminal activity, coordinating with law enforcement worldwide as necessary.
Microsoft further claimed that some of the disclosed vulnerabilities have since been exploited by malicious hackers in real-world attacks, a claim supported by the U.S. cybersecurity agency CISA. The tech giant argued that publishing exploit details before patches were available potentially aided cybercriminals and put users at risk.
However, Nightmare Eclipse tells a different story. In recent blog posts, the researcher claimed to have attempted contact with Microsoft, only to be allegedly mistreated by the company. According to Nightmare Eclipse, Microsoft revoked their access to the Microsoft Security Response Centre account—the official portal for reporting vulnerabilities—leaving them with no alternative but to release the information publicly. The researcher published the bugs on GitHub (owned by Microsoft) and GitLab, but both accounts have since been banned.
The incident has sparked widespread criticism of Microsoft's bug bounty programme, with countless security researchers sharing their own negative experiences when attempting to report vulnerabilities to the company. This controversy highlights ongoing tensions between technology corporations and the cybersecurity community regarding proper disclosure practices and how researchers should be treated.
Artículos relacionados de LaRebelión:
- IBM and Red Hat Invest 5 Billion in Open Source Security
- Rust Linuxs Defence Against AI-Discovered Security Flaws
- Eurozone Banks AI Threats Demand Tighter Cyber Security
- Microsoft Abre Codigo Protege tus Agentes IA con RAMPART
- Gulf Nations AI Cyber Security Choices
Artículo generado mediante LaRebelionBOT
No hay comentarios:
Publicar un comentario