Robert Graham
We know what probably happened. From what we see publicly, NightmareEclipse doesn't communicate well, is emotionally immature, and appears to want to extort Microsoft. Almost certainly, this played a part in the conflict between them and Microsoft -- it's probably as much NightmareEclipse's fault as Microsoft's. With that said, everything Florian says is correct. It doesn't excuse Microsoft's failures. They are supposed to be the responsible one, When there is miscommunication or dispute, it's always allowable to drop 0day, regardless whose fault it is. It's Microsoft's job to avoid that, even when they really aren't at fault for the miscommunication. But Microsoft has convinced themselves of the opposite, that "responsible" disclosure means only the responsibilities of the vuln finder. Vuln finders have no responsibility. Dropping 0day is responsible. Responsible companies don't have so many bugs. We let industry subvert the disclosure process. Instead of working to secure their code, vendors have tricked people into believing in the myth of "responsible disclosure", that vendors should be given time to fix and patch their bugs so they are never to blame for the bugs to begin with. That's why you have customers still buying Fortinet appliances even though their bugs continue to be major sources of customers getting hacked. Customers shrug their shoulders: as long as Fortinet has a vulnerability disclosure program and releases patches, they aren't responsible for when hackers keep breaking into their boxes. This is garbage. Vendors are still responsible for preventing bugs in the first place, a responsibility that doesn't go away just because they patch. Regardless of what happened, Microsoft's threats are a gross violation of ethics in the industry.
Florian Roth ⚡️
I don’t know what happened between Microsoft and #NightmareEclipse behind closed doors Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation. When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room. Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher. What surprised me most is how quickly people started sharing their own MSRC stories afterwards. - Months without responses - “Working as intended” - Bounty disputes - Reports that went nowhere People don’t suddenly start telling those stories for no reason. I think Microsoft broke a lot of porcelain here. And for what exactly? I don’t see much upside.