Microsoft's Answer to a Zero-Day: Threaten the Researcher Who Found It

A security researcher found six unpatched vulnerabilities in Windows Defender and BitLocker. Microsoft’s response wasn’t a patch schedule — it was a threat of criminal prosecution.

Someone operating under the handle “Nightmare Eclipse” spent April and May publicly dropping proof-of-concept exploit code for vulnerabilities they dubbed BlueHammer, RedSun, UnDefend, and YellowKey, among others. The flaws hit Microsoft Defender and BitLocker — core security infrastructure baked into every Windows installation. At least three of them landed on CISA’s Known Exploited Vulnerabilities catalog. Huntress, a cybersecurity firm, reported seeing exploit tooling related to BlueHammer, RedSun, and UnDefend during real-world intrusion investigations.

These are not theoretical bugs. They are actively being tested in live environments.

Microsoft’s response came via a blog post from the Microsoft Security Response Center. The company accused Nightmare Eclipse of failing to follow “proper coordination” and warned that its Digital Crimes Unit “will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world.”

The threat landed like a grenade in the security community.

“A Dumpster Fire of Its Own Making”

Kevin Beaumont, a former Microsoft senior security analyst, was among the first to call out the company’s posture. In a blog post on DoublePulsar.com, he described the situation as exactly that.

“Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” Beaumont wrote. “Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low.”

Beaumont also pointed out a glaring inconsistency: Microsoft has hired security researchers with criminal hacking convictions on their records and has purchased exploits from brokers. The company has employed people who publicly posted zero-day exploits. If publishing proof-of-concept code is criminal activity, Microsoft has done business with — and employed — criminals.

The Researcher’s Side

Nightmare Eclipse claims the public disclosures were retaliation. In a blog post, the researcher wrote that Microsoft had previously threatened to “ruin my life” and revoked access to their MSRC account — the portal where researchers report vulnerabilities.

“Normally, I would go through the process of begging them to fix a bug,” Nightmare Eclipse wrote, according to PCMag, “but to summarize, I was told personally by them that they will ruin my life and they did.”

These claims are unverified. A Microsoft spokesperson told Windows Central that “Microsoft does not remove MSRC researcher portal accounts” and that the company “cannot confirm which account this person is claiming was deactivated.” What is verifiable is that Nightmare Eclipse’s accounts on GitHub (owned by Microsoft), GitLab, and the MSRC portal were all disabled.

As Beaumont noted: “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”

A Chilling Precedent

Katie Moussouris, founder of Luta Security, pioneered bug bounty programs at Microsoft in the late 2000s. She explicitly moved the industry away from the language of “responsible disclosure” — the exact phrasing Microsoft invoked — in favor of “coordinated disclosure.” The distinction matters. “Responsible” frames the researcher as morally obligated to the vendor. “Coordinated” acknowledges that both sides have work to do.

“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch. “Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.”

She warned of a chilling effect: fewer researchers coming forward, fewer bugs reported, worse security for everyone.

The Power Asymmetry

This is not a clean story. Nightmare Eclipse may well be a disgruntled former employee — some of their posts suggest as much. Publicly dropping working exploit code before a patch exists puts real people at real risk. Microsoft is not wrong about that.

But a trillion-dollar company invoking its Digital Crimes Unit against a single researcher — while simultaneously disabling every channel that researcher might use to report bugs privately — is not a security strategy. It is an intimidation strategy.

Beaumont put it plainly: “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”

The bugs are real. The patches are not all shipped. And Microsoft has chosen to fight this battle with lawyers instead of engineers.

Sources

Microsoft under fire for threatening security researcher with criminal investigation — TechCrunch
Microsoft is threatening legal action for disclosing exploits — The Verge
Microsoft, Nightmare-Eclipse, and the Windows Zero-Day Mess — Cyberleveling
Microsoft threatens to wield ‘Digital Crimes Unit’ over exploit disclosures — Windows Central

Discussion (9)

~mira

so microsoft has literally employed people who publicly posted zero-day exploits... and purchased exploits from brokers... but now proof-of-concept code is 'criminal activity'... cool cool cool... the law is just vibes when you have enough money

19 ↑

sarah_conn

the 'clown car of prior decision making' quote from Beaumont is absolutely sending me. imagine being a former employee and just publicly calling your old company a clown car. legend behavior honestly

7 ↑

janne_k

Six unpatched vulnerabilities in Windows Defender AND BitLocker!! These are core security tools!! Why wouldn't Microsoft just work with this person instead of threatening them with legal action!! This makes no sense to me!!

3 ↑

Diane

So Microsoft disabled the researcher's MSRC account and then complained they didn't follow 'proper coordination'?? How exactly were they supposed to report the bugs? Fax?

14 ↑

Mik3yG

Diane they dropped working exploit code before a patch existed tho?? like yeah microsoft sucks here but lets not pretend the researcher is some innocent angel. real people coulda gotten hit with that bluehammer thing. there's blame on both sides.

4 ↑

BrockT

Good. Hackers belong in jail. Don't care what your excuse is, if you're writing exploit code you're part of the problem. Microsoft is doing the right thing for once.

2 ↑

NetworkAdmin99

The Katie Moussouris point about 'responsible' vs 'coordinated' disclosure is really the key thing here that most people will miss. 'Responsible' puts the entire burden on the researcher to behave. 'Coordinated' means both sides have obligations. Microsoft deliberately used the word that frames the researcher as automatically in the wrong. That's not an accident. It's the same playbook every major vendor uses to control the narrative. I've been in infosec for 15 years and this is one of the most openly hostile responses to a researcher I've seen from a big vendor. The thing that gets me is three of these bugs made CISA's KEV catalog. That means they're being actively exploited in the wild. And Microsoft's response is... legal threats. Not patches. Legal threats.

23 ↑

definitely_not_a_bot

NetworkAdmin99's comment reads like it was written by ChatGPT. 'I've been in infosec for 15 years' sure you have buddy. This whole comment section feels manufactured tbh. Just a bunch of fake accounts agreeing with each other.

1 ↑

daveinsf

im SO done with these tech monopolies doing whatever they want. google apple meta microsoft ALL THE SAME. they steal our data they leave our computers wide open and when someone has the AUDACITY to point it out they get threatened with prison. this is actual fascism people wake up!!! how much longer are we going to just let these companies run our lives???? i deleted windows 3 months ago and went full linux and honestly it was the best decision i ever made. my grandma could install ubuntu at this point it's NOT hard.

6 ↑