“The vulnerabilities labeled Red Sun, Undefend, Blue Hammer, Yellow Key, Green Plasma and Mini Plasma were not disclosed in a responsible manner,” Microsoft said in a recent blog post. Uncoordinated releases that put proof-of-concept code for unpatched vulnerabilities into the hands of malicious actors are never justified and have real consequences.
The conflict revolves around the question of responsible disclosure of security vulnerabilities: While Nightmare Eclipse makes vulnerabilities public in order to draw attention to risks, Microsoft criticizes that this would allow attackers to exploit the information before security updates are available.
According to Krebs on Security, Microsoft has since withdrawn this threat. What is noteworthy, however, is that the researcher does not appear to receive any explicit recognition for his discoveries. Instead, Microsoft simply thanks everyone who contributed to the security improvements.
