Mastodawn

Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual

Along with a threat:

Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.

Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)

A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure

Will Dormann May 29

It's hard to not interpret this all as:
We hate our jobs, and anyone who makes us do our jobs more is by definition our enemy.

Will Dormann 6d ago

Jericho put together some good words about Microsoft's nonsensical behavior, as did Kevin Beaumont.

Microsoft also recently posted a damage-control message on Twitter

MSRC; Tell The Whole Story Please

Every so often, it seems that Microsoft Security Response Center (MSRC) likes to stick their proverbial foot in their mouth on the topic of vulnerability disclosure. The root issue is that collecti…

Rants of a deranged squirrel.

@wdormann that guy drunkenly bullies people from his defcon cfp committee position. he isnt good people

Chthonic May 28

@wdormann It seems like Microsoft is also extending an olive-branch towards the end where they state they will work with any disclosure reported by whoever, regardless of reputation. From what I gather here it looks like they're laying the DCU threat while trying to keep a door open for negotiation with Nightmare-Eclipse. As a newbie, this is not how it usually goes correct? And there's no way for the public as third parties to verify either sides claims (did Nightmare-Eclipse report and then an agreement was not verified or did they simply not report at all?)

@chthonic @wdormann This is absolutely not “normal” but it does happen enough for the pattern to show itself…namely the vendor here is making ticky-tack calls to not provide a bounty. Yes, MSRC has public guidelines, but they are often too rigid, IMHO. Whatever bounties were in play, they are cheaper than all the ish that has happened, namely the brand impact to MSFT.

@snowride509 @chthonic @wdormann Guidelines mudlines. It's not about that.

Researchers don't have to participate in responsible disclosure. They're not contractually obligated, unless they participate in bug bounties. They can just release their findings whenever they want to.

The only thing stopping most researchers from doing it is a social contract whereby the vendor takes them seriously, fixes the bug in a timely manner, and gives them credit. This has been the model the security industry coalesced around for a while.

Microsoft blatantly broke that social contract, and now they suffer the consequences, and cry crocodile tears about it. You asked for it, Microsoft. FAFO, as the kids these days say.

Will Dormann May 28

Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.

This is not an olive branch. It's a threat.

Josh Bressers May 28

@wdormann we should rename “responsible disclosure” to “Samaritan snare”

@wdormann and zero acknowledgement that MiniPlasma shouldn't even exist in any form. Total lack of self awareness.

Aristotelis Tzafalias May 28

@tiraniddo @wdormann more emphasis on "responsibility" here

https://blogs.microsoft.com/on-the-issues/2026/05/01/from-capability-to-responsibility-securing-our-global-digital-ecosystem-with-next-generation-ai/

Greg Bell May 28

@tiraniddo @wdormann every power dynamic ever, when left to itself: the powerful require no responsibility of themselves, but demand scrupulous responsibility from the weak

Will Dormann May 28

@ferrix @tiraniddo
From a coworker:

I wonder who created the vulnerabilities in the first place and if they could in any way be legally responsible for product defects.

Greg Bell May 28

@wdormann @tiraniddo also every time something doesn't meet the bar for servicing... imagine how many even worse defects they must constantly have if they don't have time to fix these

Will Dormann May 28

@tiraniddo
They did successfully break the PoC in 2020. That's all that vendors feel obligated in doing, right? 😂

Tom Sellers May 28

Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable...

Assertion not supported by currently available data. There are plenty of historical examples of vendors which have refused to act on vulnerabilities which impact customers until their arms are twisted via public disclosure.

Will Dormann May 28

@TomSellers
Even better:

Microsoft should be happy that Nightmare-Eclipse told Microsoft at all, albeit at the same time as the rest of the world.

They should think long and hard about the alternative universe where instead they sold it to the highest bidder, who surely would have attempted to keep it secret.

@wdormann @TomSellers Microsoft’s very public response to Eclipse shows me that they are not a company to be taken seriously in the security community. Ignoring CVD attempts is already bad enough, but threatening and discrediting researchers when they finally get fed up and go public with their findings? How can you ever trust that they won’t do the same to you?

Andrew Golding May 28

@wdormann @TomSellers there's another possibility (although I doubt it's super likely) that Microsoft itself might have a profit motive for keeping the vulnerability present but secret. Kind of tin-foil hat stuff, I know.

tehfishman May 28

@wdormann
MSRC's rage poster couldn't even be bothered to run their shit through Microsoft Word to detect extra spaces before publicly shitting their pants on their blog.

(to be clear, not actually an issue compared to everything else here. but is another indicator of microsoft being unprofessional)

Will Dormann May 28

@tehfishman
A job done.