Indonesian Political, Business & Finance News

Microsoft faces criticism after threatening security researchers

| Source: ANTARA_ID Translated from Indonesian | Technology
Microsoft faces criticism after threatening security researchers
Image: ANTARA_ID

After a security researcher published a series of unpatched vulnerabilities in Microsoft products along with exploit code, the company has threatened legal action and involvement of law enforcement agencies. TechCrunch reported on Friday (29 May) that Microsoft’s threat has reignited longstanding debates about the extent of security researchers’ responsibility in disclosing vulnerabilities affecting large tech firms. On Wednesday (28 May), Microsoft published a blog post criticising the researcher, known as “Nightmare Eclipse”, for publicly disclosing vulnerabilities including BlueHammer, RedSun, UnDefend, and YellowKey. These flaws affect Windows Defender antivirus and BitLocker disk encryption tools. Microsoft’s core complaint is that the researcher did not report the vulnerabilities for correction. The company defines such disclosure as “responsible”. It also argued that publishing details before patches are released could aid malicious actors. “Our Digital Crimes Unit will continue to pursue cases against these perpetrators and those enabling their criminal activities, and coordinate with law enforcement globally if necessary,” Microsoft stated. The Digital Crimes Unit, according to Microsoft’s website, protects the company through civil legal action, technical countermeasures, criminal referrals, and public-private partnerships. Nightmare Eclipse claimed in a series of blogs that they communicated with Microsoft but were treated poorly, including having their Microsoft Security Response Center account revoked—the portal where researchers report vulnerabilities. They stated they had no choice but to publicly release the vulnerabilities, effectively making them zero-days. The researcher published the details on GitHub and GitLab, both owned by Microsoft, before their accounts were blocked. Neither party responded to comment requests. The dispute has revived longstanding debates: do independent security researchers have an obligation to ensure vulnerabilities are fixed, and how far should they go to compel companies to act? While the right to payment for researchers is widely accepted—reflected in bug bounty programs offering up to hundreds of thousands of dollars—many in the cybersecurity community are openly dissatisfied with Microsoft’s handling of the issue. Veteran security experts, including Katie Moussouris, founder of Luta Security, criticised Microsoft. During her tenure at Microsoft in the mid-to-late 2000s, Moussouris pioneered the bug bounty program and advocated replacing “responsible disclosure” with “coordinated disclosure”. “The use of”responsible disclosure” was a mistake,” Moussouris said, referencing Microsoft’s blog post. “Threatening prosecution via the Digital Crimes Unit is excessive and will deter security researchers from trusting Microsoft.” She warned that losing researchers’ trust could lead to fewer vulnerability reports, making everyone less secure. Kevin Beaumont, a former Microsoft employee and security researcher, also criticised the company, calling its stance “self-created chaos”. “Is creating and distributing proof-of-concept exploits for zero-days now considered”criminal activity”?” Beaumont wrote. “Responsible disclosure is often framed to protect product owners, not customers. Using it to pursue criminal charges is a new low.”

View JSON | Print