Angry with researcher for publishing unpatched bugs, Microsoft to go for criminal investigation; says: Our Digital Crimes Unit will ...

Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker. The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. According to the company that would have been “responsible,”. In a blog post, Microsoft said that by publishing the details of the bugs and how to exploit them before the company patched them, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft. The disclosure by hackers has not gone well with the US cybersecurity agency CISA as well, which too agrees with Microsoft.In recent weeks several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk. Every year, we work with hundreds of security researchers through Coordinated Vulnerability Disclosure (CVD) – the industry standard that asks researchers to share their findings with affected vendors to give them an opportunity to understand the impact and address it before the details are made public. This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors. Through this valuable partnership we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise.The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates. We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world. We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities. Our team will continue to support responsible research as we do everything we can to quickly investigate, address, and release updates for vulnerabilities that impact our customers. We always have and will continue to welcome vulnerability submissions from anyone through our public researcher portal, regardless of past interactions or reputation.