Microsoft backs down on legal threats against 0day disclosing researchers

Microsoft said it has "no intention to pursue action against individuals conducting or publishing their security research" despite issuing legal threats against an pseudonymous researcher doing just that.

The move by the tech giant comes after a strong backlash from security researchers who reacted to a response from Microsoft that spoke of the company's firm opposition to researchers "not responsibly" disclosing vulnerabilities, and indicating its Digital Crimes Unit (DCU) could take further action in such cases.

Microsoft was responding to a disgruntled researcher using the monikers "Nightmare-Eclipse" and "Chaotic Eclipise" who had published proofs-of-concept for multiple vulnerabilities, including the YellowKey BitLocker disk encryption bypass.

The researcher claimed on their blog that responsible disclosure was attempted with Microsoft, but ignored, alleging poor treatment by the company.

After the disclosure of the RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma and MiniPlasma vulnerabilities, the researcher's accounts on Microsoft-owned GitHub and on the GitLab code repository were deleted.

Now, in a tweet posted to social media site X, Microsoft sought to clarify that it will not legally pursue individual researchers.

"We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions," Microsoft said.

Microsoft qualified that statement by warning it wil work with law enforcement "as appropriate" when individuals break the law or engage in malicious activity that harms the company's customers.

Among those who disagreed with Microsoft's position was Luta Security principal Katie Moussouris, who established the company's original vulnerability disclosure program during her time there.

"Researchers aren’t criminals unless their crime is curiosity," Moussouris wrote.

"Dropping [a] 0day isn’t the worst thing a researcher can do. It’s not ideal, but at least orgs can take steps to mitigate," Moussouris said, adding that non-disclosure is far worse.

Another researcher, Kevin Beaumont, expounded at length on Microsoft's response, calling it a "dumpster fire of their own making".

Chaotic Eclipse said they intend to continue to release further vulnerabilities, some of which have been contributed by other researchers.