Researchers normally submit such findings to the Microsoft Security Response Center (MSRC) for patching to prevent hackers from exploiting them. But Nightmare Eclipse has deliberately ignored the responsible disclosure route, citing claims that Microsoft mistreated them.
“They mopped the floor with me and pulled every childish game they could,” the researcher wrote last month, without elaborating. “It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
Every place I’ve ever worked has tried to play cute with security researchers. I’ve never understood it. I’ve always called it out. But I keep fucking running into it!
They know that most security researchers won’t risk legal action by releasing through other means, so they’ll do whatever saves them a few dollars in paying them.
But what can we do about it? A nonprofit legal fund that barely stands a chance against Microsoft’s legal team? There must be something meaningful.
or whatever keeps a public CVE from getting published.