"They will ruin my life": Microsoft threatens cybersec researchers

A hacker does hackery things — A hacker does hacker things, or something. (Image credit: Getty Images / boonchai wedmakawand)

Having known a fair few cybersecurity researchers in my time, I know that Microsoft is something of a controversial figure.

Being the largest operating system in the world, Windows is often the target of hacks and exploits, alongside Microsoft's cloud Azure. Russian-backed hackers breached Microsoft's 365 layer last year, for example, compromising U.S. government official accounts.

To combat this, Microsoft is known to work with prolific and not-so-prolific security researchers, sometimes called whitehat hackers, who test Microsoft's security layers and then report the issues. Microsoft has a bug bounty program to that end, where ethical hackers can report exploits for a major pay day. At least, in theory.

I know from my experience working with Xbox and Windows sources that actually getting paid is often more difficult than Microsoft's documentation suggests. I know more than a couple of researchers who weren't compensated fairly in the past, and to speculate, this latest drama revolves around one such potentially burned user.

Security researcher Nightmare Eclipse went on a spree recently, publicly disclosing six major security vulnerabilities in Windows and other Microsoft systems. Typically, these types of bugs would be reported directly to Microsoft so that the firm could patch them up, but prior blog posts from Eclipse suggest he may have disclosed these publicly for retaliatory reasons.

Azure Cloud — Microsoft's infrastructure is increasingly under attack from hackers both at a domestic and nation-state level. Iran also recently signalled intent to target Microsoft data centers in its recent conflict with the United States government. (Image credit: Microsoft)

"Normally, I would go through the process of begging them to fix a bug," Eclipse wrote (via PCMag), "but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride [sic] experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything. They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision."

Nightmare Eclipse's claims are unverified allegations for now, but for what it's worth, this isn't the only story like this I've heard.

Microsoft has contracts with the United States military and takes security very seriously, although perhaps not seriously enough. CEO Satya Nadella has been embarrassed over the past couple of years with some high-profile Azure hacks, and maintaining a good relationship with well-meaning ethical hackers should be an instrumental pillar of protecting Microsoft customers.

Every week I feel like there's a new story about how AI-powered hacks could upend global cybersecurity at both ends. It seems Microsoft is taking a more aggressive posture with regards to chasing down hackers, as well as those who publicize vulnerabilities. As such, Microsoft issued a response to Nightmare Eclipse's disclosures.

"The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.

We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world."

"If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court."
Kevin Beaumont via DoublePulsar.com.

The thing is, the United States constitution would protect Nightmare Eclipse's disclosures under freedom of speech laws. However, he might be in violation of the Computer Fraud and Abuse act, depending on how the exploits were obtained.

The language in Microsoft's blog post has raised the ire of security researchers, though, since it seems to suggest they will also go after those who simply disclose such exploits.

Former Microsoft senior security analyst Kevin Beaumont (via The Verge) called out Redmond's apparent hypocrisy over Nightmare Eclipse' treatment.

"Hang on.. proof of concept exploit creation and distribution for zero days is “criminal activity” now? Who in CELA signed off that wording? Microsoft are the biggest distributor of zero days, via Github. Not following made up “responsible disclosure” processes is not illegal.

Nightmare Eclipse was also kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), they were doxxed on Twitter and had their MSRC — Microsoft vulnerability reporting portal — account disabled. It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned."

In the same post, Beaumont suggested that Microsoft had previously hired security researchers who were on public record of selling exploits to rogue states like Russia and Iran. "Microsoft knowingly employed somebody who would repeatedly talk about selling exploits to Russia and Iran, publicly, while working there — for years. They have a long history of hiring people, some with criminal convictions for hacking offenses — and hiring people who’ve posted zero days publicly."

When you're an operation as large and sprawling as Microsoft, you're doubtless to become the target of criminals both at an individual and state-backed level. Microsoft also has one of the largest market capitalizations in the world, and pressures itself to cut corners to deliver glowing profitability reports to Wall Street.

Security exploits are an inevitability in software, but in the AI era, the rapidity by which Microsoft will likely find itself under attack is only going to increase exponentially over time. It doesn't seem particularly virtuous of them to antagonize researchers in the way it seems to be doing right now. The drama may intensify calls to formalize legislation around vulnerability disclosure, which has been debated back and forth in the United States, but never fully implemented at a federal level.

As Beaumont closes on DoublePulsar.com, "If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process."

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.

Jez Corden is the Executive Editor at Windows Central, focusing primarily on all things Xbox and gaming. Jez is known for breaking exclusive news and analysis as relates to the Microsoft ecosystem — while being powered by tea. Follow on X.com/JezCorden and tune in to the XB2 Podcast, all about, you guessed it, Xbox!