Responsible disclosure is an industry norm, but I don't really see how an independent researcher has a legal obligation to play by industry norms. If I discover that any product has a defect, I am free to blab about it all I want as long as it is truthful. There may be considerations beyond this if you are disclosing something discovered by breaking terms of service or by fucking with a computer that isn't yours, but discovering that your copy of windows on your machine has a flaw and telling people about it is protected.
Yes. Simply publishing on GitHub makes it's a TOS violation. You're free to blab all you want. Just host it on your own server and maybe even your own ISP. The code will be protected, but the publishing is not!
“Our clickwrap terms of service prohibit users from talking about dangerous defects in our products without telling us and keeping it a secret for a month” is a hell of an argument to even attempt in front of a judge, let alone to be accepted.
Again, there isn’t really any case law I can find suggesting that skipping responsible disclosure opens you to any legal liability - which is the argument being made here.
The dispute is whether or not it is perfectly legal free speech. By simply publishing it on GitHub, it was a violation of a TOS and that right there opens it up to lawsuits from MS. You are free to go down this path and prove me wrong.
Responsible disclosure is an industry norm, but I don't really see how an independent researcher has a legal obligation to play by industry norms. If I discover that any product has a defect, I am free to blab about it all I want as long as it is truthful. There may be considerations beyond this if you are disclosing something discovered by breaking terms of service or by fucking with a computer that isn't yours, but discovering that your copy of windows on your machine has a flaw and telling people about it is protected.