Robert Graham@robertgraham
We know what probably happened.
From what we see publicly, NightmareEclipse doesn't communicate well, is emotionally immature, and appears to want to extort Microsoft.
Almost certainly, this played a part in the conflict between them and Microsoft -- it's probably as much NightmareEclipse's fault as Microsoft's.
With that said, everything Florian says is correct. It doesn't excuse Microsoft's failures. They are supposed to be the responsible one,
When there is miscommunication or dispute, it's always allowable to drop 0day, regardless whose fault it is. It's Microsoft's job to avoid that, even when they really aren't at fault for the miscommunication.
But Microsoft has convinced themselves of the opposite, that "responsible" disclosure means only the responsibilities of the vuln finder.
Vuln finders have no responsibility. Dropping 0day is responsible. Responsible companies don't have so many bugs.
We let industry subvert the disclosure process. Instead of working to secure their code, vendors have tricked people into believing in the myth of "responsible disclosure", that vendors should be given time to fix and patch their bugs so they are never to blame for the bugs to begin with.
That's why you have customers still buying Fortinet appliances even though their bugs continue to be major sources of customers getting hacked. Customers shrug their shoulders: as long as Fortinet has a vulnerability disclosure program and releases patches, they aren't responsible for when hackers keep breaking into their boxes.
This is garbage. Vendors are still responsible for preventing bugs in the first place, a responsibility that doesn't go away just because they patch.
Regardless of what happened, Microsoft's threats are a gross violation of ethics in the industry.
