Microsoft has been mum on any details about these matters, so it’s hard to tell if the situation is about an uncooperative researcher who doesn’t follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse’s GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.
Classic Streisand effect. Just two years ago Satya Nadella publicly announced they’re prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft’s actions speak louder than words and they probably didn’t pay for the bounties.
He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD
They most likely did something illegal or at least something that puts them on very shaky ground if they try to litigate. I am guessing there are multiple other people they fucked over and those people are not as ethical as this person. So they chose the blackhat path.
I would treat any Windows device as a comprised device. It is possible that there are 20 other people, who are the best of the best security researchers, that were taking the low effort paycheck because it was a legal route that are now going to fuck Microsoft up. The non technical people who made the decision to stop paying out, did not fundamentally understand what they were doing. Mythos was just marketed as the best model for doing security research and they fell for it.
I don’t feel bad for Microsoft, but responsible disclosure is about more than that.
It’s ethical. It gives the developer time to correct an error before it has the potential to affect anyone using their products. When you don’t follow that process, whether one set out by the developer, or a best effort on your part, you are now contributing to the potential harm caused by that vulnerability.
This isn’t universal, and I have no doubt that Microsoft is also partly to blame, but there’s a significant element of attention seeking in the mix here. They could have reached out to other security researchers, validated the findings in private and found another channel to work through. Maybe he tried, but largely it seems like his actions are retaliatory and broadly harmful to anyone who has to administer these products.
I have a lot of respect for security researchers. My job relies on the work they do and the skill it takes to do it. But part of that relies on doing things in a way that minimizes potential harm.
Classic Streisand effect. Just two years ago Satya Nadella publicly announced they’re prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft’s actions speak louder than words and they probably didn’t pay for the bounties.
He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD
And I fully believe it’d be some kind of justified retribution. The silence from Microslop’s side is deafening.
They most likely did something illegal or at least something that puts them on very shaky ground if they try to litigate. I am guessing there are multiple other people they fucked over and those people are not as ethical as this person. So they chose the blackhat path. I would treat any Windows device as a comprised device. It is possible that there are 20 other people, who are the best of the best security researchers, that were taking the low effort paycheck because it was a legal route that are now going to fuck Microsoft up. The non technical people who made the decision to stop paying out, did not fundamentally understand what they were doing. Mythos was just marketed as the best model for doing security research and they fell for it.
I don’t feel bad for Microsoft, but responsible disclosure is about more than that.
It’s ethical. It gives the developer time to correct an error before it has the potential to affect anyone using their products. When you don’t follow that process, whether one set out by the developer, or a best effort on your part, you are now contributing to the potential harm caused by that vulnerability.
This isn’t universal, and I have no doubt that Microsoft is also partly to blame, but there’s a significant element of attention seeking in the mix here. They could have reached out to other security researchers, validated the findings in private and found another channel to work through. Maybe he tried, but largely it seems like his actions are retaliatory and broadly harmful to anyone who has to administer these products.
I have a lot of respect for security researchers. My job relies on the work they do and the skill it takes to do it. But part of that relies on doing things in a way that minimizes potential harm.
Microsoft clearly doesn’t care about ethics if they’re putting backdoors in their product…