“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

- quote from Microsoft’s MSRC blog from 20260527

This was disturbing on many levels. As many have already said, it is like a couple of decades of positivity and trust have been rolled back and pulled away.

Justification?

I do know that there is probably a lot more to the story than we currently have. For example, since the Digital Crimes Unit is involved this implies data (deleted, threatened, or exfiltrated) is currently involved, and it suggests law enforcement is also involved. In other words, specific evidence that otherwise might shed additional light on the matter may be under wraps until a more thorough investigation has occurred.

This matches up with what little intelligence is floating around - or what one might call rumors - that there were malicious elements about the “disclosure” to Microsoft coming in the form of a possible compromise. There very well could have been threats or at least statements that are consistent with malicious actors. I am not saying there was a ransomware attack or threats for more releases unless some odd demand or demands are met, just that these rumblings from inside Microsoft suggest there is something malicious about this. And I trust the sources that relayed this information.

That being said, I don’t think that this incident justifies the statements from the blog. I mean yes, they said they were “attacked” which implies maliciousness, but the overall message taken away from this is “disclose security flaws on our terms or face legal consequences” and is very similar to the general attitude from large software vendors back in the early 2000’s.

The Past

Maybe an explanation about the general attitude from a couple of decades ago might help put some perspective on the situation, and reveal why many people who were around back then are so bothered by the wording from that recent blog post.

The problem was this - hackers were looking for and finding bugs, these hackers included black hats (aka “evil”) and white hats (aka “good”) but for the most part the various security vendors treated the entire group as evil. The hacker group I was associated with (NMRC) was certainly involved in this era. We were trying to report bugs (along with dozens of other hacker groups and independent researchers) to get systems fixed - mainly for our jobs as admins, but also some of us worked at companies that sold security tools that could find vulnerabilities and we wanted to recommend fixes. Remember this was way before the standard “security@largesoftwarecompany.com” email path and before responsible disclosure was even a thing.

So you’d ask around, try to find some contact within a company, email them with the info, and hope they didn’t come after you legally or report you to the Feds or whatever. While we all started using hacker handles back in the old BBS days (partially because it was simply entertaining) we kept this up since it pseudo protected us.

Microsoft was one of the worse corporations to deal with. One would be ignored, or they’d say “okay thanks for the info” and simply do nothing. This was before disclosure policies and whatnot. In fact, disclosure policies came from the hacker community itself, with NMRC actually being the first to document their disclosure process, right before Rain Forest Puppy wrote his. More here.

I’ll eventually cover all of the details of those bygone days in the memoir I am writing, but from personal experience as an employee at a company that made a security scanner I saw threats against said employer by Microsoft. There were other vendors that were worse that made legal threats against NMRC. This was why things like Internet-spreading worms were released - some hackers chose to simply release a worm instead of try to get a vendor to patch.

Eventually these companies changed tactics. Some were slower than others, but eventually massive steps forward were made. In many ways Microsoft became an example of how large software vendors should handle this entire process.

Current Concerns

The main concern now is that even though Microsoft has received massive backlash from the security community for walking back all of the good from the past, they have not walked back this blog post nor have they clarified if this is simply a misunderstanding involving direct malicious attacks, and not some bug report gone wrong. No clarity at all.

We do not want to return to those ancient days of bug reporters being hunted down by some faceless corporation simply because they tried to report a security flaw. Hopefully at some point we have a bit more clarity as to what really went on and things remain on good terms - terms we fought for - with the software vendors of the world.