← Back to context

Comment by LelouBil

1 month ago

Very important info: https://www.theregister.com/security/2026/05/28/microsoft-0-...

In the linked Microsoft blog post, they say :

> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.

So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?

It's a very weird situation

> the disclosures put our customers at unnecessary risk.

That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.

  • The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.

    It's not a dichotomy either, they can both have put the customers at risk.

  • Especially since the only explanation for why this exists is as a backdoor.

Contrary to popular belief, it is NOT anyone's obligation to do free work for megacorps. If anyone is testing MS products for free, or reporting bugs for free, that's a gracious favor, nothing more.

Yeah, but the customer in this statement being entities that requested this backdoor. Not the people/companies who paid for the licences.

>Why would Nightmare-Eclipse not report them if they are not ?

Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

  • >Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

    Whoever silently downvoted this, I'd love to hear why you so strongly disagree with my assessment.