惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Apple Machine Learning Research
Apple Machine Learning Research
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security @ Cisco Blogs
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Cyberwarzone
Cyberwarzone
SecWiki News
SecWiki News
Webroot Blog
Webroot Blog
L
LINUX DO - 最新话题
V
Vulnerabilities – Threatpost
T
Troy Hunt's Blog
Cloudbric
Cloudbric
L
LINUX DO - 热门话题
Google DeepMind News
Google DeepMind News
H
Heimdal Security Blog
S
Schneier on Security
NISL@THU
NISL@THU
The Hacker News
The Hacker News
Attack and Defense Labs
Attack and Defense Labs
A
Arctic Wolf
V2EX - 技术
V2EX - 技术
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Scott Helme
Scott Helme
W
WeLiveSecurity
S
Secure Thoughts
Y
Y Combinator Blog
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - Franky
量子位
人人都是产品经理
人人都是产品经理
雷峰网
雷峰网
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
T
Tenable Blog
The GitHub Blog
The GitHub Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
Vercel News
Vercel News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
小众软件
小众软件
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Palo Alto Networks Blog

The Register - Security

Are we human? MyPillow must decide whether to be firm or soft as ransomware crims demand pay Experts pour cold borscht on Farage's Russian hack claim AI eyes scanning for bugs create a worrisome Linux security trend A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Techie claims Trump Mobile website was leaking thousands of people's data Dems slam Trump for making cybersecurity hold out the tin cup while splurging on ballroom and Jan. 6 'slush fund' Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach Microsoft open-sources agentic AI safety tools Are we human? America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames America's top cyber-defense agency left a GitHub repo open with passwords, keys, tokens – and incredibly obvious filenames Shai-Hulud copycat worm infects yet another npm package MPs want social media treated more like unsafe toys than harmless apps Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data To gain root access, intruder just had to ask AWS patched Quick auth bypass, says customers weren't using control Disgruntled researcher releases two more Microsoft zero-days Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files US bank reports itself after slinging customer data at 'unauthorized AI app' Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator Best Western Hotels confirms web app data breach Arctic Wolf cuts 250 jobs in AI push 1 in 8 workers say selling company logins is justifiable Iran cyberspies LARPing as ransomware crims in espionage ops UK age-gating plans risk breaking the internet, privacy groups warn India orders infosec red alert in case Mythos sparks crime 'CopyFail' attackers start cashing in on Linux flaw ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Singapore boffins get diverse SIEMs singing in harmony Shadow IT has given way to shadow AI. Enter AI-BOMs AI-BOMs replace SBOMs as way to track AI agents and bots Home Office adds £216M to travel doc contract before bids FBI: China's hacker-for-hire ecosystem 'out of control' UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Critical cPanel, WHM flaw probs exploited as 0-day, pros say ORNL builds more sensitive GPS interference detector Microsoft patch fell short. New Windows flaw exploited Fooling large language models just keeps getting simpler Wiz hands GitHub AI-aided bug report that isn Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Cybersecurity professional getting more work and less pay Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning Intel expects AI inference to drive demand for its CPUs Open source models can find bugs as well as Mythos Researchers find sabotage malware that may predate Stuxnet Attackers could disable all of a city's public EV chargers Age checks could turn internet into an ID checkpoint, complains Proton CEO If malware via monitor cables is a matter of national security, this might be the gadget for you France's 'Secure' ID agency probes breach as crooks claim 19M records Scotland Yard can keep using live facial recognition on Londoners, say judges Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Scot becomes second Scattered Spider-linked crook to plead guilty in US Just like phishing for gullible humans, prompt injecting AIs is here to stay Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Server-room lock was nothing but a crock Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Autovista blames ransomware for service disruption French cops free mother and son after crypto kidnapping UK told its Big Tech habit is now a national security risk Commvault has a Ctrl+Z for rogue AI agents No honor among thieves as 0APT threatens rival ransomware gang Krybit Fake Linux leader using Slack to con devs into giving up their secrets Booking.com warns of possible reservation data exposure NHS pays £46K to prep next Microsoft licensing round China wants AI to prepare school lessons and mark homework Anthropic's Mythos has The Kettle crew curious, skeptical Two different attackers poisoned popular open source tools Hungary officials used weak passwords exposed in breach dump CPUID hijacked to serve malware as HWMonitor downloads Unpacking AI security 2026 from experimentation agentic era Microsoft locks out top open source devs, blames process NHS Scotland-linked domains push pr0n and illegal streams Iran cyber actors disrupting US water, energy facilities, FBI warns Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns AI agents found vulns in this Linux and Unix print server Don't glamorize cybercrims, roast them instead Trump wants to take a battle axe to CISA again and slash $707M from budget
Microsoft reaches for olive branch after public dustup with 0-day researcher
Carly Page Carly Page · 2026-06-02 · via The Register - Security

Security

Following days of criticism from the security community, Redmond dials back rhetoric, insists vulnerability hunters not in its legal crosshairs

Microsoft has moved to calm an increasingly noisy backlash from the security community after appearing to threaten legal action against a researcher who spent the past several weeks dumping Windows zero-days onto the internet.

In a statement published on Monday, Redmond said it has "no intention to pursue action against individuals conducting or publishing security research”, a noticeably softer position than the one it adopted just days earlier when it condemned a string of public vulnerability disclosures and invoked its Digital Crimes Unit.

The updated statement follows a public feud with a researcher known as Nightmare-Eclipse, who released multiple Windows zero-days along with proof-of-concept exploit code. Several of those vulnerabilities have since been exploited in the wild, turning what might have remained an obscure disclosure dispute into a much larger argument about how vendors handle security researchers.

Last week, Microsoft described the publication of exploit code for unpatched flaws as "never justifiable" and warned it would work with law enforcement when criminal activity harmed customers. The statement triggered immediate criticism from parts of the security community, with researchers warning that the language risked creating a chilling effect around vulnerability research.

Former Microsoft employee and security researcher Kevin Beaumont described the company's position as a "dumpster fire of its own making," while Luta Security founder Katie Moussouris, who created Microsoft's bug bounty program, told The Register the response sent mixed messages. 

She questioned Microsoft's decision to tout researcher compensation and recognition while responding to a researcher who claims he received neither, and argued that references to the Digital Crimes Unit made the post feel "vaguely threatening." She added that, regardless of the specifics of the dispute, Microsoft risked creating a chilling effect on other researchers considering whether to report vulnerabilities.

What’s more, if Microsoft's goal was to isolate Nightmare-Eclipse, that may not be going entirely to plan. The researcher claimed over the weekend that other researchers had begun handing over vulnerabilities following Microsoft's response, including an alleged flaw dubbed "Bitskrieg" that breaks Secure Boot trust guarantees and bypasses BitLocker. Nightmare-Ecipse said the bug will be released “sometime in June”. 

Against that backdrop, Microsoft's Monday message read more like damage control than deterrence.

"We have no intention to pursue action against individuals conducting or publishing their security research," Microsoft said, adding that legal referrals would be reserved for people engaging in malicious activity that causes harm to customers. The company also acknowledged that "some interactions have fallen short" and said it was working to learn from feedback.

Notably, Microsoft stopped well short of conceding any of Nightmare-Eclipse's specific allegations. The researcher had accused Microsoft of deleting accounts used for vulnerability reporting, refusing to pay bounties, and mishandling communications through the Microsoft Security Response Center. The company has not publicly addressed those claims directly.

Nobody should mistake Monday's statement for a sudden conversion to the church of full disclosure. Microsoft remains firmly of the view that researchers should report vulnerabilities privately, give vendors time to fix them, and avoid dropping working exploit code onto the internet for everyone else to play with.

The problem for Redmond was that the argument had drifted well beyond the actions of one researcher. What began as a dispute over a string of Windows zero-day releases was rapidly turning into a debate about Microsoft's relationship with the security community and whether the company was comfortable invoking lawyers when that relationship soured.

The updated statement looks very much like an attempt to slam the brakes on that narrative.  ®