Software Giant Lands in Hot Water Over Alleged Threats to Cybersecurity Experts
Controversy is brewing in the world of cybersecurity, as a large software company, known for its operating system and cloud services, finds itself in the midst of a growing scandal. The company, a regular target for hackers, is accused of threatening a security researcher who disclosed several critical vulnerabilities in their systems.
The company has a complex relationship with cybersecurity experts, some of whom are employed to purposely seek out and report bugs in their security system. The company even runs a reward program that promises significant compensation to these 'ethical hackers' who report vulnerabilities. However, the reality seems to be less rewarding, with some researchers claiming they are not fairly compensated.
An Unsettling Revelation
A security researcher, who goes by the name Nightmare Eclipse, recently made a splash when he publicly disclosed six significant security vulnerabilities in the company's systems. This is an unusual move, as typically these vulnerabilities would be reported directly to the company for patching. Based on Eclipse's blog posts, it is suggested that this public disclosure was a form of retaliation.
In a statement, Eclipse shared a chilling tale: "I was personally told by them that they will ruin my life and they did... They mopped the floor with me and pulled every childish game they could."
While these claims are unverified, they do echo similar stories told by other researchers.
Company's Response
Despite having contracts with the United States military and a CEO who has faced embarrassment over several high-profile security breaches, the company seems to be taking a more aggressive stance against hackers and those who publicize vulnerabilities. In response to Eclipse's disclosures, the company issued a strong statement:
"The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. We remain firmly opposed to these actions, and any disclosure that could harm our customers and the digital ecosystem... Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity."
Though the United States constitution would protect Eclipse's disclosures under freedom of speech laws, he might be in violation of the Computer Fraud and Abuse Act, depending on how the exploits were obtained.
Backlash from the Cybersecurity Community
The company's strong response has not been well received by the cybersecurity community. Many feel that the company is threatening those who simply disclose such exploits.
A former senior security analyst at the company criticized what he perceived as hypocrisy in the company's treatment of Eclipse. He pointed out that the company has previously employed researchers who have publicly sold exploits to rogue states.
Eclipse was also banned from several platforms, including one owned by the company itself, and had his vulnerability reporting portal account disabled. This has led to more criticism, as it makes it difficult for him to report future vulnerabilities responsibly.
A Call for Change
Given its size and prominence, the company is a prime target for hackers. With the rise of AI, the frequency and severity of these attacks are likely to increase. Many believe that the company's handling of this situation is not beneficial to its security efforts and could lead to an increase in calls for legislation around vulnerability disclosure in the United States.
As the former analyst puts it, "If the company's tactic is to try to criminalize not following often arbitrary 'responsible disclosure' frameworks, good luck defending that in court."
Controversy is brewing in the world of cybersecurity, as a large software company, known for its operating system and cloud services, finds itself in the midst of a growing scandal. The company, a regular target for hackers, is accused of threatening a security researcher who disclosed several critical vulnerabilities in their systems.
The company has a complex relationship with cybersecurity experts, some of whom are employed to purposely seek out and report bugs in their security system. The company even runs a reward program that promises significant compensation to these 'ethical hackers' who report vulnerabilities. However, the reality seems to be less rewarding, with some researchers claiming they are not fairly compensated.
An Unsettling Revelation
A security researcher, who goes by the name Nightmare Eclipse, recently made a splash when he publicly disclosed six significant security vulnerabilities in the company's systems. This is an unusual move, as typically these vulnerabilities would be reported directly to the company for patching. Based on Eclipse's blog posts, it is suggested that this public disclosure was a form of retaliation.
In a statement, Eclipse shared a chilling tale: "I was personally told by them that they will ruin my life and they did... They mopped the floor with me and pulled every childish game they could."
While these claims are unverified, they do echo similar stories told by other researchers.
Company's Response
Despite having contracts with the United States military and a CEO who has faced embarrassment over several high-profile security breaches, the company seems to be taking a more aggressive stance against hackers and those who publicize vulnerabilities. In response to Eclipse's disclosures, the company issued a strong statement:
"The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. We remain firmly opposed to these actions, and any disclosure that could harm our customers and the digital ecosystem... Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity."
Though the United States constitution would protect Eclipse's disclosures under freedom of speech laws, he might be in violation of the Computer Fraud and Abuse Act, depending on how the exploits were obtained.
Backlash from the Cybersecurity Community
The company's strong response has not been well received by the cybersecurity community. Many feel that the company is threatening those who simply disclose such exploits.
A former senior security analyst at the company criticized what he perceived as hypocrisy in the company's treatment of Eclipse. He pointed out that the company has previously employed researchers who have publicly sold exploits to rogue states.
Eclipse was also banned from several platforms, including one owned by the company itself, and had his vulnerability reporting portal account disabled. This has led to more criticism, as it makes it difficult for him to report future vulnerabilities responsibly.
A Call for Change
Given its size and prominence, the company is a prime target for hackers. With the rise of AI, the frequency and severity of these attacks are likely to increase. Many believe that the company's handling of this situation is not beneficial to its security efforts and could lead to an increase in calls for legislation around vulnerability disclosure in the United States.
As the former analyst puts it, "If the company's tactic is to try to criminalize not following often arbitrary 'responsible disclosure' frameworks, good luck defending that in court."