Microsoft faces backlash after suspending accounts linked to zero-day exploit disclosures: Report

Microsoft is reportedly facing criticism over its response to a security researcher who has been publicly sharing proof-of-concept code for software vulnerabilities. According to a report by The Verge, a person using the name "Nightmare Eclipse" has been involved in an ongoing dispute with Microsoft over the disclosure of zero-day exploits.

The individual has posted exploit code online and, in some messages, suggested they may be a former Microsoft employee. The case has drawn attention from cybersecurity experts, who are questioning Microsoft's actions after the company reportedly suspended several of the individual's accounts and raised the possibility of legal action.Researcher questions Microsoft's responseCybersecurity researcher Kevin Beaumont highlighted Microsoft's handling of the situation in a recent post.

According to The Verge, Microsoft indicated that it could pursue a criminal case against Nightmare Eclipse for not following what it described as "proper coordination" when disclosing vulnerabilities.The company also disabled the individual's GitHub, GitLab and Microsoft Security Response Center accounts.As Beaumont noted, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”

Beaumont also argued that Microsoft's position appears inconsistent with some of its past decisions.According to Beaumont, Microsoft has previously hired individuals who publicly disclosed zero-day exploits, including some who had criminal hacking convictions. He also pointed out that the company has purchased exploits from third-party brokers.Summing up his concerns, Beaumont wrote: “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”The dispute has added to the broader debate within the cybersecurity community about vulnerability disclosure practices and how technology companies should respond when researchers publicly release exploit information.