Microsoft has stepped back from what some saw as a threat of legal action against a researcher who published details of several security flaws. The researcher claimed Microsoft had humiliated him when he previously reported bugs.

The dispute is the latest example of tensions over what Microsoft used to call responsible disclosure: the idea that researchers should not make bugs public until it has had a chance to prepare and distribute a fix.

Microsoft had dropped that term many years ago in favor of "coordinated vulnerability disclosure." The change in wording was designed to remove the implication that people who didn't follow Microsoft's precise timetable were acting irresponsibly.

Conflict Over Bug Disclosure

Researchers have often complained that tech companies take too long to fix problems and that in some cases, going public with a vulnerability is necessary to force them into action.

A researcher known only by the online name Nightmare Eclipse recently posted to say Microsoft had "refused, humiliated me and made sure to insult me in front of people" in relation to previous reports. They also complained Microsoft had deleted the user account with which they made the bug reports. (Source: blogspot.com)

The researcher published details of six vulnerabilities and implied they would unleash a bigger collection on July 14th. That date may not be a coincidence: it's the second Tuesday of the month, when Microsoft issues its main security updates, so would be the worst possible day for Microsoft to have to deal with bugs becoming public.

Microsoft initially responded with what appeared to be a threat to pursue criminal action against Nightmare Eclipse, though did not name them directly. It explicitly said the six bugs "were not responsibly disclosed", also referring to "responsible disclosures" and "responsible research".

Legal Threats and Backtracking

It also said "Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity - coordinating as needed with law enforcement around the world." (Source: microsoft.com)

While that may be aimed primarily at hackers who plan to exploit vulnerabilities, some had interpreted it as a threat against Nightmare Eclipse for making the bugs public. The incident appears to have damaged Microsoft's reputation in the security community.

Microsoft now says, "we have no intention to pursue action against individuals conducting or publishing their security research." It added that "We are committed to approaching every interaction [with bug reporters] with transparency, clear communication, and professionalism. We acknowledge that some interactions have fallen short and are working to learn from them." (Source: x.com)

What's Your Opinion?

Do you think researchers should always wait for a company's fix before going public? Is Microsoft right to use legal pressure against security experts who bypass their timelines? How can tech giants improve their relationships with independent security researchers?