Microsoft is threatening legal action for disclosing exploits

微软威胁将对披露漏洞的行为采取法律行动

Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they’re a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont’s eye was how Microsoft has responded. 微软在处理零日漏洞（zero-day exploits）的方式上正面临批评。一位化名为“Nightmare Eclipse”的人士一直在与该公司公开对抗，并发布了漏洞的概念验证代码。他们的一些帖子暗示自己是一位心怀不满的前员工。但网络安全研究员凯文·博蒙特（Kevin Beaumont）所关注的，是微软对此作出的回应。

Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow “proper coordination” in disclosing vulnerabilities. They also disabled Nightmare Eclipse’s GitHub, GitLab, and Microsoft Security Response Center accounts disabled. As Beaumont points out, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.” 微软表示，计划对 Nightmare Eclipse 提起刑事诉讼，理由是其在披露漏洞时未遵循“适当的协调”流程。他们还封禁了 Nightmare Eclipse 的 GitHub、GitLab 以及微软安全响应中心（MSRC）的账户。正如博蒙特所指出的：“当你已经被封禁时，想要‘负责任地’报告未来的漏洞是非常困难的。”

What troubles Beaumont is that Microsoft has hired people who have done many of the exact same things. They’ve employed people who have publicly posted zero-day exploits, some with criminal hacking convictions on their record. Microsoft has also purchased exploits from brokers. 令博蒙特感到困扰的是，微软曾聘用过许多做过同样事情的人。他们雇佣过曾公开披露零日漏洞的人，其中一些人甚至还有黑客犯罪记录。此外，微软还曾从漏洞经纪人手中购买过漏洞。

Beaumont sums it up: If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process. 博蒙特总结道：“如果微软的策略是试图将不遵循往往带有随意性的‘负责任披露’框架的行为定为犯罪，那么祝他们在法庭上好运——因为微软内部过往的决策简直是一场闹剧，而这些事实在诉讼过程中将会被一一揭露。”