Accusation, Trust, and the Future of Vulnerability Disclosure | Lawfare
The upcoming main navigation can be gotten through utilizing the tab key. Any buttons that open a sub navigation can be triggered by the space or enter key.
Search Lawfare
Search
Advanced Search
Cory Simpson
Meet The Authors
Subscribe to Lawfare
In May, an independent security researcher known as Nightmare Eclipse published a series of unpatched Windows vulnerabilities after what the researcher described as a failed disclosure process with Microsoft. The researcher said the vulnerabilities, along with proof-of-concept exploit code, had been reported to the company before publication. Microsoft said the disclosure occurred outside proper coordination, accused the researcher of enabling criminal activity, invoked its Digital Crimes Unit, and pointed toward potential law enforcement action.<br>Microsoft blurred a line it knows well: the line between protecting billions of users from malicious actors and implying that security researchers may be treated as criminals for good-faith research. The security community heard the message that way and responded forcefully, with researchers publicly describing their own frustrations working with Microsoft’s disclosure process.<br>Microsoft later clarified that it has no intention of pursuing action against individuals conducting or publishing security research, while reserving the right to work with law enforcement when someone breaks the law and harms customers. That clarification drew the line where Microsoft should have drawn it from the start.<br>The episode raises a broader question for cybersecurity governance: What happens when a company with state-like reach invokes the language of criminal enforcement in a system that depends on voluntary reporting and trust?<br>Coordinated vulnerability disclosure (CVD) is the process by which researchers report vulnerabilities to vendors so that the vendors can assess risk, develop patches, and protect users before adversaries exploit the flaw. The process depends on trust and clear communication. Researchers surface findings to support remediation. Vendors assess risk, communicate with researchers, and move quickly to protect customers. The mission is to surface weaknesses while vendors still have time to act.<br>CVD depends on a clear line between the disclosure process and the criminal justice system. Criminal conduct belongs in lawful channels grounded in facts, authorization, intent, and harm. The CVD process should remain focused on validation, remediation, communication, and user protection. When criminal law language enters the disclosure conversation, it distorts the relationship the process depends on and weakens the trust that makes coordinated disclosure work.<br>Legal uncertainty weakens coordinated disclosure by shifting the researcher’s question from “How do I help fix this?” to “What could this cost me?” Researchers begin weighing personal exposure against technical risk, and vendors lose credibility with the very community they depend on. A National Telecommunications and Information Administration (NTIA) survey found that 60 percent of researchers cited the threat of legal action as a reason they might decline to work with a vendor on disclosure. The same report found that researchers overwhelmingly use coordinated disclosure, and that when they choose another path, communication has usually broken down first. Legal certainty and communication are the foundation of coordinated disclosure.<br>CVD is not whistleblowing, but the two systems share a basic design principle: People are more likely to surface risk when they trust the channel and believe they can use it safely. That design principle dates back to the earliest years of the republic. In 1778, the Continental Congress protected sailors and marines who reported misconduct by the commander of the Continental Navy and later faced a criminal libel suit. The lesson still applies. Systems that depend on disclosure must protect those willing to come forward. Researchers who fear legal exposure may stay silent, delay reporting, or disclose outside the vendor process.<br>The Nightmare Eclipse dispute shows how quickly trust and communication can break down. The researcher alleges that Microsoft deleted the Microsoft Security Response Center account used to report bugs, closing the coordinated disclosure channel before exploit code went public. Once that channel closes, researchers have fewer good options and vendors lose control of the timeline.<br>The pattern extends beyond Microsoft. In 2020, Voatz, a mobile voting app used in several U.S. elections, clashed with MIT researchers who identified flaws in the company’s software. Voatz denied the findings, removed legal protections for independent researchers, and, according to some involved, reported one of the researchers to the FBI. Security and election experts expressed alarm, and HackerOne, a...