Bottom line: A security researcher and Microsoft are publicly disputing disclosure practices. The researcher complains about rejected communication and deleted accounts; Microsoft argues that uncontrolled disclosures create real risks. A Microsoft executive hints that patching practices could be reviewed.
A prominent cybersecurity researcher and Microsoft are engaged in a public dispute over responsible vulnerability disclosure standards. The researcher accuses the corporation of poor communication, while Microsoft criticizes uncontrolled disclosures that put exploit code into attackers’ hands.
A cybersecurity researcher known by the pseudonym Nightmare Eclipse and Microsoft are engaged in an intense exchange over standards for vulnerability disclosure. The researcher had repeatedly attempted to contact Microsoft officials and was rejected according to his account. He subsequently published details of unpatched security vulnerabilities.
In his posts, the researcher accused Microsoft of publicly humiliating and insulting him. He also criticized Microsoft for deleting his account and suspending his GitHub account, despite reporting security vulnerabilities for free. In a controversial statement, he referenced a date (July 14) and hinted at “ensuring” that “your bones are shattered.”
In further postings, the researcher described a pattern of systematic obstruction: Microsoft would “do anything but support the research community” and actively sabotage researchers, without providing further details.
Microsoft responded with its own statement, arguing that some of the vulnerabilities disclosed by the researcher were not reported responsibly. The company emphasized: “Uncoordinated disclosures that provide proof-of-concept code for unpatched vulnerabilities to malicious actors are never justified and have real consequences.” Microsoft alluded to the researcher’s allegedly poor reputation and stressed that it continues to welcome vulnerability reports through its public portal.
Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center (MSRC), expressed himself more diplomatically. He signaled that Microsoft might reconsider its approach to bug reports. Gallagher reaffirmed that severity will continue to be based on real exploitability, but acknowledged: “The pace at which these fundamentals must be applied is changing.” He urged researchers to review whether practices from a few years ago still match the current threat environment.
The dispute reveals a fundamental tension in the cybersecurity industry: many researchers feel ignored by large vendors or experience unreasonable delays in patches. There is also poor communication about the status of reported issues. Conversely, vendors argue that finite resources force prioritization and not every reported vulnerability can be addressed immediately.
Source: www.csoonline.com
Lumi AI News – AI-assisted curation in accordance with Article 50 EU AI Act.