Microsoft threatens to sue researchers who disclose vulnerabilities, accused of double standards to suppress zero-day disclosure personnel

Microsoft has faced criticism recently for its handling of zero-day vulnerabilities. A security researcher who calls himself "Nightmare Eclipse" publicly released multiple proof-of-concept codes for exploiting vulnerabilities and had a public conflict with Microsoft. Some of his remarks suggested that he might be a former Microsoft employee.

What cybersecurity researcher Kevin Beaumont noticed wasn't just the vulnerabilities themselves, but how Microsoft responded. Microsoft said in its official statement that it plans to consider criminal prosecution against Nightmare Eclipse on the grounds that the researcher failed to disclose the vulnerability according to "appropriate coordination procedures" and has successively banned its related accounts in GitHub, GitLab and the Microsoft Security Response Center.

Beaumont pointed out that after the client's account is completely banned, it will be almost impossible to submit future security vulnerabilities through Microsoft's so-called "responsible disclosure" channels. He also emphasized that what is even more ironic is that Microsoft has long employed some people who have publicly published zero-day exploit codes, including people with criminal criminal records. At the same time, the company also purchases exploit programs from vulnerability brokers.

In Beaumont’s view, Microsoft’s current attempt to criminalize “non-compliance with the often rather arbitrary ‘responsible disclosure’ framework” is untenable. He warned that once such a case is brought to court, Microsoft's past hiring, security strategy and vulnerability trading decisions will all be put on the table, forming a "clown car full of inconsistent facts," making it difficult for it to justify itself under judicial review.

Judging from the entire incident, Microsoft not only relied on the security research community, but also purchased and hired security experts who had exploited similar behaviors. On the other hand, it responded to publicly disclosed individuals with extremely tough and even shocking criminal charges. Relevant controversies are fermenting in the security circle, and have also rekindled discussions about what constitutes "responsible disclosure" and the boundaries of power of large technology companies in the vulnerability disclosure game.