Microsoft is threatening legal action for disclosing exploits

Microsoft is under scrutiny after a person using the name Nightmare Eclipse posted proof-of-concept exploit code and criticized the company’s vulnerability handling. Security researcher Kevin Beaumont highlighted Microsoft’s response, including threats of a criminal case over lack of coordinated disclosure and disabling the person’s GitHub, GitLab, and MSRC accounts.

The dispute underscores growing tension between vendors and researchers over how quickly vulnerabilities should be disclosed when fixes are delayed or disputed. Aggressive legal threats may deter irresponsible releases, but they also risk chilling security research and damaging trust in bug reporting channels.

Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they're a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont's eye was how Microsoft has responded. Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow "proper coordination" in disclosing vulnerabilities. They also disabled Nightmare Eclipse's GitHub, GitLab, and Microsoft Security Response Center accounts disabled. As Beaumont point … Read the full story at The Verge.