Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
@wdormann It seems like Microsoft is also extending an olive-branch towards the end where they state they will work with any disclosure reported by whoever, regardless of reputation. From what I gather here it looks like they're laying the DCU threat while trying to keep a door open for negotiation with Nightmare-Eclipse. As a newbie, this is not how it usually goes correct? And there's no way for the public as third parties to verify either sides claims (did Nightmare-Eclipse report and then an agreement was not verified or did they simply not report at all?)
-
R relay@relay.infosec.exchange shared this topic
-
@wdormann It seems like Microsoft is also extending an olive-branch towards the end where they state they will work with any disclosure reported by whoever, regardless of reputation. From what I gather here it looks like they're laying the DCU threat while trying to keep a door open for negotiation with Nightmare-Eclipse. As a newbie, this is not how it usually goes correct? And there's no way for the public as third parties to verify either sides claims (did Nightmare-Eclipse report and then an agreement was not verified or did they simply not report at all?)
@chthonic @wdormann This is absolutely not “normal” but it does happen enough for the pattern to show itself…namely the vendor here is making ticky-tack calls to not provide a bounty. Yes, MSRC has public guidelines, but they are often too rigid, IMHO. Whatever bounties were in play, they are cheaper than all the ish that has happened, namely the brand impact to MSFT.
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
@wdormann we should rename “responsible disclosure” to “Samaritan snare”
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
@wdormann and zero acknowledgement that MiniPlasma shouldn't even exist in any form. Total lack of self awareness.
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
@wdormann "gone by the wayside" good, they literally made it up to bully researchers.
-
@wdormann and zero acknowledgement that MiniPlasma shouldn't even exist in any form. Total lack of self awareness.
-
@chthonic @wdormann This is absolutely not “normal” but it does happen enough for the pattern to show itself…namely the vendor here is making ticky-tack calls to not provide a bounty. Yes, MSRC has public guidelines, but they are often too rigid, IMHO. Whatever bounties were in play, they are cheaper than all the ish that has happened, namely the brand impact to MSFT.
@snowride509 @chthonic @wdormann Guidelines mudlines. It's not about that.
Researchers don't have to participate in responsible disclosure. They're not contractually obligated, unless they participate in bug bounties. They can just release their findings whenever they want to.
The only thing stopping most researchers from doing it is a social contract whereby the vendor takes them seriously, fixes the bug in a timely manner, and gives them credit. This has been the model the security industry coalesced around for a while.
Microsoft blatantly broke that social contract, and now they suffer the consequences, and cry crocodile tears about it. You asked for it, Microsoft. FAFO, as the kids these days say.
-
@wdormann It seems like Microsoft is also extending an olive-branch towards the end where they state they will work with any disclosure reported by whoever, regardless of reputation. From what I gather here it looks like they're laying the DCU threat while trying to keep a door open for negotiation with Nightmare-Eclipse. As a newbie, this is not how it usually goes correct? And there's no way for the public as third parties to verify either sides claims (did Nightmare-Eclipse report and then an agreement was not verified or did they simply not report at all?)
Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.
This is not an olive branch. It's a threat.
-
M mttaggart@infosec.exchange shared this topic
-
Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual
Also manages to sprinkle in a few references to not using CVD as being not "responsible". (Microsoft was a big proponent of the term "responsible disclosure", which has gone by the wayside because it tends to favor vendor-centric perspective in a subjective and moralizing way.)
Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable...
Assertion not supported by currently available data. There are plenty of historical examples of vendors which have refused to act on vulnerabilities which impact customers until their arms are twisted via public disclosure.
