Microsoft is threatening legal action against a security researcher who publicly disclosed multiple unpatched vulnerabilities in Windows products without first giving the company a chance to fix them. The dispute highlights ongoing tensions between tech companies and independent researchers over how security flaws should be handled.
The controversy centers on a researcher known as “Nightmare Eclipse,” who published details and exploit code for several bugs affecting Microsoft products including Windows Defender and BitLocker. Microsoft responded with a blog post criticizing the researcher and warning of potential criminal prosecution through its Digital Crimes Unit.
The core issue is that Nightmare Eclipse didn’t follow what Microsoft calls “responsible disclosure” – privately reporting bugs so companies can patch them before making details public. Instead, the researcher published the vulnerabilities on GitHub and GitLab, essentially turning them into zero-days that could be exploited by malicious actors. Microsoft says some of these flaws have already been used in real-world attacks, according to reports from the company and the U.S. cybersecurity agency CISA.
“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world,” Microsoft wrote in its response. The unit typically handles civil legal actions, technical countermeasures, and criminal referrals to protect the company’s interests.
However, Nightmare Eclipse claims to have tried working with Microsoft initially. In recent blog posts, the researcher alleged they were mistreated by the company, including having their Microsoft Security Response Center account revoked. This portal is where researchers typically report vulnerabilities to Microsoft. The researcher implied they had no choice but to go public after being shut out of official channels.
Both Microsoft and Nightmare Eclipse’s accounts on GitHub and GitLab have since been banned from those platforms. Neither party responded to requests for comment about the dispute.
The controversy has reignited a long-standing debate in cybersecurity circles about the responsibilities of independent researchers and how far they should go to ensure companies fix the bugs they discover. This issue matters because the relationship between researchers and tech giants directly impacts how quickly dangerous security flaws get patched, affecting millions of users worldwide.
The cybersecurity community has largely sided against Microsoft in this case. Many researchers have shared their own negative experiences trying to report bugs to the company, raising questions about whether Microsoft’s vulnerability reporting process is actually working as intended.
Katie Moussouris, founder of Luta Security and a former Microsoft employee who helped pioneer bug bounty programs in the 2000s, criticized the company’s approach. She warned that Microsoft’s legal threats could create a “chilling effect” where fewer researchers come forward to report vulnerabilities.
“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris said. “Adding a threat of prosecution by mentioning Digital Crimes Unit was over the top, and will only result in security researchers distrusting Microsoft.”
Security researcher Kevin Beaumont, also a former Microsoft employee, called the company’s position a “dumpster fire of its own making.” He questioned whether creating proof-of-concept exploits for zero-days should really be considered criminal activity, arguing that responsible disclosure frameworks often protect companies rather than customers.
The dispute comes at a time when bug bounty programs have become standard practice across the tech industry. These programs, which can pay researchers six-figure sums for privately disclosing vulnerabilities, emerged from a 2009 campaign called “No More Free Bugs” that argued researchers deserved compensation for their work.
The outcome of this controversy could influence how other tech companies handle similar situations and whether researchers continue to trust official channels for reporting security flaws. If researchers lose confidence in working with companies directly, it could lead to more public disclosures of unpatched vulnerabilities, potentially making software less secure for everyone.