The company is threatening to involve its Digital Crimes Unit against a bug hunter who published six Windows zero-days. Cybersecurity veterans say the company has no moral high ground to stand on.
A security researcher who goes by “Nightmare Eclipse” has spent the last six weeks publicly releasing one Windows zero-day exploit after another — six in total, three of which are now being actively exploited in the wild. Microsoft’s response has not been to patch faster or open a dialogue. Instead, the company published a blog post threatening criminal referral through its Digital Crimes Unit, and its platforms — GitHub, GitLab, and the Microsoft Security Response Center portal — have all been used to ban the researcher.
The controversy has reignited a decades-old debate about responsible disclosure — but with an uncomfortable wrinkle: as security veterans are quick to point out, Microsoft has hired people who have done the exact same thing.
What’s new
The saga began when Nightmare Eclipse started releasing proof-of-concept exploit code for unpatched Windows vulnerabilities on GitHub and GitLab. Three of the bugs — BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) — have since been weaponized by attackers and added to CISA’s Known Exploited Vulnerabilities catalog.
Three more — YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma — remain unpatched. Microsoft has deemed “exploitation more likely” for YellowKey, a BitLocker security feature bypass.
In a blog post last Wednesday, Microsoft called the disclosures “never justifiable” and warned that its Digital Crimes Unit would “continue bringing cases against these actors and those that enable their criminal activity.”
The researcher, in turn, has threatened a “bone shattering” data dump on July 14, claiming Microsoft “humiliated” them, deleted their MSRC reporting account, and that they received “zero pennies” for their work.
The double standard
What makes this case different from previous disclosure disputes is the hypocrisy argument. As security researcher Kevin Beaumont pointed out, Microsoft has hired people who have publicly posted zero-day exploits — some with criminal hacking convictions on their record. The company has also purchased exploits from commercial brokers.
“If Microsoft’s tactic is to try to criminalize not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court,” Beaumont wrote, “because there’s a whole clown car of prior decision making within Microsoft.”
Katie Moussouris, who pioneered Microsoft’s bug bounty program and helped establish coordinated vulnerability disclosure, told The Register that Microsoft’s response sends “mixed messages.”
TechCrunch noted that countless security researchers have shared their own negative experiences reporting bugs to Microsoft — suggesting the Nightmare Eclipse case is not an isolated incident but a symptom of a broader trust problem.
The chilling effect
The practical implications are stark. Microsoft has banned Nightmare Eclipse from GitHub, GitLab, and the MSRC portal — the very platforms researchers need to report vulnerabilities. As Beaumont drily observed: “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”
Cybersecurity engineer Muhammad Qasim Shahzad described the damage as extraordinary: “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year. The gap between disclosure and weaponization is now measured in hours, not days.”
But the broader concern is what this does to the vulnerability research ecosystem. If Microsoft is willing to threaten criminal prosecution over a disclosure disagreement, researchers may simply stop reporting bugs to Microsoft altogether — selling them to brokers or nation-states instead. That outcome is worse for everyone, including Microsoft’s customers.
The big picture
This dispute is not really about Nightmare Eclipse. It is about what happens when a platform company — one that owns the dominant code repository, the dominant desktop OS, and the dominant productivity suite — decides it can police security research with legal threats.
The coordinated disclosure framework that Moussouris and others spent years building was a truce between companies and researchers: you give us time to fix it, we give you credit and sometimes a bounty. That truce depends on mutual respect. When a company threatens criminal charges over a disclosure dispute while simultaneously hiring people with the same behavior on their résumés, the framework cracks.
Whether or not Microsoft follows through on its DCU threat, the message has already been received by the security research community: report bugs at your own risk.
Sources: The Verge (May 31, 2026); TechCrunch (May 29, 2026); The Register (May 28, 2026); Windows Central (May 29, 2026); Cybernews (May 2026)