Microsoft has publicly criticized a security researcher known as "Nightmare Eclipse" for disclosing multiple zero-day vulnerabilities without prior coordination with the company. The flaws, named BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma, affect widely used Microsoft products, including the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.
Microsoft's Stance on Responsible Disclosure
In a blog post, Microsoft emphasized that the researcher did not follow the industry-standard Coordinated Vulnerability Disclosure (CVD) process, which requires researchers to report bugs to the vendor before making them public. The company stated that such uncoordinated disclosures put millions of customers at unnecessary risk by providing proof-of-concept code to malicious actors before patches are available.
Microsoft noted that it works with hundreds of security researchers annually through CVD, compensating them for responsible disclosures and publicly acknowledging their contributions. The company expressed strong opposition to disclosures outside proper coordination, warning that they have real-world consequences.
Real-World Attacks and CISA's Agreement
According to Microsoft, some of the vulnerabilities disclosed by Nightmare Eclipse have already been exploited by hackers in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also agreed with Microsoft's position, condemning the uncoordinated disclosure.
Microsoft's security teams have been working around the clock to develop updates and protect customers. The company's Digital Crimes Unit is actively pursuing legal action against threat actors and those enabling their criminal activity, coordinating with law enforcement globally.
Microsoft's Commitment to Security Research
Despite the criticism, Microsoft reiterated its commitment to supporting responsible security research. The company invites vulnerability submissions through its public researcher portal, regardless of past interactions or reputation. It also engages with the security community at conferences, appreciation events, and through daily collaboration to understand and address vulnerabilities.
Microsoft concluded that while disagreements may arise, it remains dedicated to transparency and dialogue to protect the digital ecosystem.
