Microsoft’s dispute with security researcher Nightmare Eclipse over the public disclosure of zero-day vulnerabilities has reignited debate about coordinated vulnerability disclosure and the trust gap between vendors and researchers. The controversy also highlights how delayed patching, public threats, and escalating tensions can increase risk for customers and weaken the security community’s willingness to report flaws. #Microsoft #NightmareEclipse #RedSun #UnDefend #BlueHammer #YellowKey #GreenPlasma #MiniPlasma #VSCode
Keypoints
- Microsoft threatened criminal legal action after Nightmare Eclipse publicly disclosed zero-day vulnerabilities.
- The researcher said Microsoft ignored disclosure efforts, denied credit, and deleted their MSRC account.
- Three of the six disclosed vulnerabilities were reportedly exploited before Microsoft patched them.
- Experts said both vendors and researchers must build trust for coordinated disclosure to work.
- The incident adds pressure to an already strained vulnerability ecosystem facing more CVEs and AI-assisted discovery.
Read More: https://cyberscoop.com/microsoft-coordinated-vulnerability-disclosure-debacle/