Microsoft Faces Backlash for Threatening Security Researcher

Reports have surfaced indicating that Microsoft has allegedly threatened to initiate criminal proceedings against a security researcher; the discovery has received severe reactions from Cybersecurity experts who note that positive and legitimate security researchers' treatment by technology firms is a key measure of how seriously companies value responsibly disclosed vulnerabilities as well as the cooperative nature of all users of the internet. Security researchers occupy a unique legal status and a valuable position in the technology industry, by spending large amounts of time, expertise and resources testing software, programs and applications for vulnerability in hopes of identifying and reporting significant flaws. If, however, malicious individuals discover these same vulnerabilities, it could lead to large data breaches, major financial problems, or serious harm to millions of users. When researchers identify vulnerabilities in software, they report them to the companies that own them, thus providing the company with a true public benefit.

Security researchers rely on a trusting relationship with the companies whose products they are researching. Companies with mature security programs have established vulnerability disclosure processes, often referred to as bug bounty programs, that allow researchers to report their findings and receive appropriate recognition and/or reward in return. Implicitly and sometimes explicitly, these arrangements promise researchers that if they follow the disclosure guidelines, they will not be subject to legal action for discovering or reporting a vulnerability.

When a large, influential company, such as Microsoft, threatens to pursue criminal prosecution against a researcher, it sends a message to the entire research community. Other researchers may have been planning on disclosing vulnerabilities in Microsoft products. This case will likely cause them to consider whether they are willing to incur the potential for similar treatment versus the value of the public good created by them reporting their findings.

This chilling effect has negative implications for everyone. Vulnerabilities that remain unreported to the vendor will not go away, they will continue to be available to malicious actors who do not possess the same ethical considerations as responsible security researchers.
Microsoft has built significant credibility in the security community over the years through investments in security research partnerships and its Security Response Center. The way it handles this controversy will determine whether that credibility survives intact or takes a lasting hit at a moment when the security research community's trust and cooperation has never been more valuable.