Vesper
ENESFRTR
Charts
Articles:SportsHealthHistoryTech
Markets
EUR/USD1.1658 0.12%GBP/USD1.3448 0.16%USD/JPY159.25 0.01%USD/CHF0.7819 0.07%AUD/USD0.7175 0.05%USD/CAD1.3791 0.10%USD/CNY6.7867 0.29%USD/INR95.20 0.22%USD/BRL5.0466 0.03%USD/ZAR16.22 0.01%USD/TRY45.89 0.00%Gold$4,540.30BTC$73,767 0.45%ETH$2,022 0.48%SOL$82.60 0.57%
Tech

Microsoft threatens legal action against researcher 'Nightmare Eclipse' for disclosing exploits

The Verge2 h ago
ShareXWhatsAppTelegramLinkedIn
Abstract code matrix screen with blue light, cybersecurity theme
Photo: Negative Space / Pexels

Microsoft is considering a possible criminal case against a security researcher identifying as 'Nightmare Eclipse', a development reported by The Verge. Microsoft's decision was triggered by the researcher's persistent public disclosure of proof-of-concept exploit code. This has set off a critical debate in the global cybersecurity sector that questions the limits of responsible-disclosure protocols.

Nightmare Eclipse is a researcher of unknown identity who is particularly active on social media. According to The Verge's account, over the past six months they disclosed five separate zero-day vulnerabilities in Windows and Microsoft 365 products on social media. Some of the vulnerabilities had not been patched by Microsoft's official responsible-disclosure programme, the Microsoft Security Response Center (MSRC). Some of the researcher's social-media posts also include content suggesting they may be a former Microsoft employee.

In Microsoft's written statement to The Verge, the company said that 'the information Nightmare Eclipse has published publicly offers malware writers an attack roadmap that harms millions of Windows users'. The company spokesperson confirmed that Microsoft is considering 'a criminal case under the Computer Fraud and Abuse Act (CFAA)' among the possible options. Microsoft also said it had suspended the researcher's GitHub, GitLab and MSRC accounts.

Microsoft's consideration of legal action triggered sharp reactions in the sector. According to The Verge, security researcher Kevin Beaumont criticised the company's approach, saying 'Microsoft is directing at the researchers who disclosed them the pressure it faces for failing to patch the vulnerabilities in time'. Beaumont noted that three of the five zero-day vulnerabilities that Nightmare Eclipse had disclosed are still unpatched.

The responsible disclosure debate has become one of the most sensitive subjects in cybersecurity over the past decade. The traditional practice is that researchers first report vulnerabilities to the company in question and the company prepares a patch within a reasonable period (commonly 90 days). However, if companies sometimes fail to act within that period, researchers may choose to publicly disclose the vulnerability; this is done both to warn end users and to apply historical pressure on the company.

According to the sector analysis carried by The Verge, Microsoft's stance against Nightmare Eclipse signifies something different from the traditional responsible-disclosure protocol. The company did not make a definitive statement on whether the researcher first reported to it. Former Microsoft security engineer Tarah Wheeler told The Verge that 'the general practices of the sector are in favour of researchers; however, in recent years large companies have begun to push this practice'.

Digital-rights organisations like the Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology (CDT) have taken a critical position against Microsoft's action. The EFF's senior security policy adviser Eva Galperin told The Verge that 'responsible disclosure is ceasing to be a truly equal principle — large companies are now moving from regarding researchers as acceptable to positioning them as threats'. The EFF noted that the Nightmare Eclipse case could in the coming weeks turn into a test case in which EFF Legal will provide advice.

From Microsoft's perspective, the company's annual cybersecurity budget is estimated at approximately 4 billion dollars. According to The Verge, the company devotes an important portion of that budget to security research conducted under third-party coordination. The MSRC's bug bounty programme receives about 13,000 security reports each year from around 500 researchers; for approximately 100 of those reports rewards exceeding 50,000 dollars are paid. The Nightmare Eclipse case falls outside this standard process, prompting Microsoft to seek the legal route.

Comments from other major technology companies have taken a balanced posture. Maddie Stone, a former Google security engineer, told The Verge that 'when responsible disclosure is not applied, it is possible to find malicious actors applying extraordinary pressure for vulnerabilities to be patched. But legal action is a threshold that should not be crossed'. Apple is reported to have entered a judicial process in 2024 for a similar case but ultimately withdrew the case.

This article does not constitute legal or cybersecurity advice. Security researchers should consult their own legal advisers regarding decisions on public disclosure. Whether Microsoft initiates a legal case in the coming weeks will be a critical precedent for the sector. The Verge's coverage emphasises that digital-rights organisations and sector analysts are following the development closely and that this case could be an important test point for the future of responsible-disclosure policies.

This article is an AI-curated summary based on The Verge. The illustration is a stock photo by Negative Space from Pexels.