Microsoft threatens criminal action against security researcher
Original: Microsoft under fire for threatening security researcher with criminal investigation
Why This Matters
Highlights ongoing tension between security researchers and tech companies over vulnerability disclosure practices.
Microsoft threatened legal action against researcher 'Nightmare Eclipse' who disclosed unpatched vulnerabilities in Windows Defender and BitLocker. The researcher claims Microsoft mistreated them and revoked their security portal access before public disclosure.
Microsoft published a blog post criticizing security researcher 'Nightmare Eclipse' for publicly disclosing vulnerabilities including BlueHammer, RedSun, UnDefend, and YellowKey affecting Windows Defender and BitLocker. The company argued the researcher should have reported bugs responsibly rather than publishing exploit code. Microsoft's Digital Crimes Unit threatened legal action and criminal referrals. The researcher claimed Microsoft mistreated them and revoked their Security Response Center account access, forcing public disclosure. Some vulnerabilities have since been used in real-world attacks according to Microsoft and CISA. The researcher's GitHub and GitLab accounts were banned after publishing the bugs.