Why Can't We All Just Get Along?
We all tend to skim the headlines. It used to happen with a real newspaper in hand. Today it happens most often on our phones in our idle moments. The headlines we see are tuned by what we’ve read and engaged with before: things the algorithm thinks we’ll read and agree with. More often than not, the headline is crafted to draw us to the conclusion before we’ve even touched the article itself. In my own feed recently, I started reading snippets about how a disgruntled security researcher ended up on the wrong side of Microsoft, and how it might have far reaching implications. For a while, I just skimmed the headlines as usual. Then I started asking questions. The first one was simple: why would Microsoft and a security researcher end up in open conflict in the first place? What does that relationship even look like when it’s working, and what has to go wrong for it to break this badly? The more I dug in, the more that specific question opened into a bigger one. One I don’t think is unique to security.
Why can’t we all just get along?
The honest answer, the real one and not the bumper sticker version, is that it is as complex as the number of perspectives in a room. Which is to say: very. It is a question that applies in security, in diplomacy, in any room where the parties involved have mutual stakes and choose leverage over alignment anyway. The more perspectives in the room, the harder the answer gets.
Today the angle is security. Specifically, what happens when the people who find the holes and the people who are supposed to fix them stop trusting each other entirely.
You may have seen the name Nightmare-Eclipse. A researcher with deep knowledge of Windows internals spent six weeks dropping six working zero-day exploits publicly, with full proof-of-concept code and no coordination with Microsoft. The security community’s reaction has been complicated, and that complication is worth sitting with.
Normally, security researchers who find vulnerabilities and disclose them without coordinating with the vendor are described as practicing “grey hat hacking.” The term exists because the ethics genuinely are not clean: they are not malicious actors seeking personal gain, but they are not following the rules of coordinated disclosure either. They sit somewhere in between. This situation pushed past even that. If the researcher’s version of events is to be believed, their hand was forced: Microsoft had deleted the account they used to report vulnerabilities, paid them nothing for prior work, and left them with no functional path back in. What followed was six working exploits dropped publicly with full proof-of-concept code. You do not do that. It hands working exploits to threat actors. Real systems get compromised. Real people absorb the cost. That happened here, with at least three of the six vulnerabilities actively exploited in the wild almost immediately after release.
Microsoft’s response was a blog post about shared responsibility and coordinated disclosure norms. The security community was largely not impressed. Katie Moussouris, the security researcher who pioneered Microsoft’s own bug bounty program, told The Register that the situation paints a picture of someone who believes every legitimate channel was closed to them, and that “the researcher’s grievances are serious and specific.”
I am not here to decide who is right. I genuinely do not know, and neither does anyone outside that room. What I do know is that when trust between researchers and vendors collapses completely, the people writing the checks and the people cashing them are not the ones who pay for it. Users are.
There is another layer worth naming. AI tools have multiplied the volume and speed of vulnerability discovery, which means more reports, more noise, more pressure, and less margin for the kind of trust-building that responsible disclosure actually requires.
The Nightmare-Eclipse situation did not happen in a vacuum. It happened inside a system that was already straining under its own weight.
So what does this mean for the person who is not in security, who is just trying to use a computer to do their job?
Two things, practically speaking.
First, patch your stuff. Do not ignore the update popup. I understand why people do. The OS you are running works. You are comfortable with it. You do not know what the update will change, whether it will introduce friction, or whether it will break something you rely on. That hesitation makes sense. But the downside of sitting on a known vulnerability is almost always worse than the downside of an update that takes some getting used to: lost work, lost time, lost money, and the particular cost of realizing that something you trusted failed you when it mattered. There is always a gap between when a vulnerability is discovered and when a fix lands, and that window is when exposure is highest. You cannot control how fast your vendor closes it, but you can make sure you are not still running last month’s version when they do.
Second, let the people making decisions know that you have a stake in those decisions and that you are paying attention. That means anyone who makes choices that affect you without you in the room: your employer, your software vendor, your school, your hospital. Organizations do not change their behavior because it is the right thing to do. They change it when the people who depend on them make clear that they are paying attention. You do not have to be an expert to ask how quickly your organization responds when something like this happens, or whether the tools you rely on are maintained by people who take this seriously. The answer will tell you something important.
The easy read of all this is: get along, hold hands, kumbaya. That is not what I am saying. Cooperation without real incentive is just a sentiment. For this to actually work, researchers need to know that responsible disclosure pays off. Not just morally. Practically. Vendors need to know that a researcher finding a hole is an asset and not a threat.
Neither of those things is fully true right now. Until they are, we will keep having versions of this conversation with different names and different exploits.
The security situation is just today’s illustration. The pattern is older than the internet. The parties with mutual stakes choose leverage over alignment, and the wellbeing of everyone else absorbs the cost.
I hope I am wrong about where this is heading. I genuinely do. But I fear I am not wrong.
ADHawk Technical Solutions — Protecting Access. Empowering People.
If this raised questions about how your organization handles vulnerability disclosure or patch management, that is exactly the right thing to be thinking about. I am glad to talk.