{
    "success": true,
    "data": {
        "id": 1774737,
        "msgid": "microsoft-faces-criticism-after-threatening-security-researchers-1780153221",
        "date": "2026-05-30 21:13:20",
        "title": "Microsoft faces criticism after threatening security researchers",
        "author": "",
        "source": "ANTARA_ID",
        "tags": "",
        "topic": "Technology",
        "summary": "Microsoft has sparked controversy by threatening legal action against a security researcher who disclosed unpatched vulnerabilities in its products. The dispute reignites long-standing debates about responsible disclosure practices and whether companies adequately reward researchers for uncovering flaws.",
        "content": "<p>After a security researcher published a series of unpatched\nvulnerabilities in Microsoft products along with exploit code, the\ncompany has threatened legal action and involvement of law enforcement\nagencies. TechCrunch reported on Friday (29 May) that Microsoft\u2019s threat\nhas reignited longstanding debates about the extent of security\nresearchers\u2019 responsibility in disclosing vulnerabilities affecting\nlarge tech firms. On Wednesday (28 May), Microsoft published a blog post\ncriticising the researcher, known as \u201cNightmare Eclipse\u201d, for publicly\ndisclosing vulnerabilities including BlueHammer, RedSun, UnDefend, and\nYellowKey. These flaws affect Windows Defender antivirus and BitLocker\ndisk encryption tools. Microsoft\u2019s core complaint is that the researcher\ndid not report the vulnerabilities for correction. The company defines\nsuch disclosure as \u201cresponsible\u201d. It also argued that publishing details\nbefore patches are released could aid malicious actors. \u201cOur Digital\nCrimes Unit will continue to pursue cases against these perpetrators and\nthose enabling their criminal activities, and coordinate with law\nenforcement globally if necessary,\u201d Microsoft stated. The Digital Crimes\nUnit, according to Microsoft\u2019s website, protects the company through\ncivil legal action, technical countermeasures, criminal referrals, and\npublic-private partnerships. Nightmare Eclipse claimed in a series of\nblogs that they communicated with Microsoft but were treated poorly,\nincluding having their Microsoft Security Response Center account\nrevoked\u2014the portal where researchers report vulnerabilities. They stated\nthey had no choice but to publicly release the vulnerabilities,\neffectively making them zero-days. The researcher published the details\non GitHub and GitLab, both owned by Microsoft, before their accounts\nwere blocked. Neither party responded to comment requests. The dispute\nhas revived longstanding debates: do independent security researchers\nhave an obligation to ensure vulnerabilities are fixed, and how far\nshould they go to compel companies to act? While the right to payment\nfor researchers is widely accepted\u2014reflected in bug bounty programs\noffering up to hundreds of thousands of dollars\u2014many in the\ncybersecurity community are openly dissatisfied with Microsoft\u2019s\nhandling of the issue. Veteran security experts, including Katie\nMoussouris, founder of Luta Security, criticised Microsoft. During her\ntenure at Microsoft in the mid-to-late 2000s, Moussouris pioneered the\nbug bounty program and advocated replacing \u201cresponsible disclosure\u201d with\n\u201ccoordinated disclosure\u201d. \u201cThe use of\u201dresponsible disclosure\u201d was a\nmistake,\u201d Moussouris said, referencing Microsoft\u2019s blog post.\n\u201cThreatening prosecution via the Digital Crimes Unit is excessive and\nwill deter security researchers from trusting Microsoft.\u201d She warned\nthat losing researchers\u2019 trust could lead to fewer vulnerability\nreports, making everyone less secure. Kevin Beaumont, a former Microsoft\nemployee and security researcher, also criticised the company, calling\nits stance \u201cself-created chaos\u201d. \u201cIs creating and distributing\nproof-of-concept exploits for zero-days now considered\u201dcriminal\nactivity\u201d?\u201d Beaumont wrote. \u201cResponsible disclosure is often framed to\nprotect product owners, not customers. Using it to pursue criminal\ncharges is a new low.\u201d<\/p>",
        "url": "https:\/\/jawawa.id\/newsitem\/microsoft-faces-criticism-after-threatening-security-researchers-1780153221",
        "image": ""
    },
    "sponsor": "Okusi Associates",
    "sponsor_url": "https:\/\/okusiassociates.com"
}