Microsoft Threatens Researcher With Criminal Probe—Over Zero-Day Disclosures
Microsoft warned it may pursue legal action against a researcher who published 6 unpatched zero-days, sparking a cybersecurity backlash over disclosure norms.
In Brief
- Microsoft threatened a security researcher with criminal investigation after they published 6 unpatched zero-day flaws in Windows Defender and BitLocker.
- The researcher, Nightmare Eclipse, claims Microsoft revoked their bug-reporting access first — and the cybersecurity community is siding with the hacker.
- CISA has already ordered federal agencies to patch one of the disclosed flaws, and a live intrusion using the exploits was observed by Huntress.
Microsoft is threatening a security researcher with criminal prosecution after they publicly disclosed 6 unpatched zero-day vulnerabilities in products including Windows Defender and BitLocker. The researcher, who goes by Nightmare Eclipse, published proof-of-concept exploit code for flaws dubbed BlueHammer, RedSun, UnDefend, and YellowKey after claiming Microsoft mistreated them, TechCrunch reports.
The company responded Wednesday with a blog post calling for “responsible” disclosure and warning that its Digital Crimes Unit “will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” per Microsoft’s MSRC.
The stakes are not theoretical. The U.S. Cybersecurity and Infrastructure Security Agency ordered federal agencies to patch BlueHammer, BleepingComputer reports. Huntress also observed BlueHammer, RedSun, and UnDefend tooling during a live intrusion investigation, the security firm confirmed.
Disclosure Debate Erupts
Nightmare Eclipse claims they tried working with Microsoft but the company revoked access to their MSRC account — the portal for reporting vulnerabilities. They published exploits on GitHub and GitLab after the dispute escalated. Both accounts were subsequently banned, per PCMag.
Katie Moussouris, who pioneered bug bounties at Microsoft in the 2000s, told TechCrunch that using the word “responsible” disclosure was the first strike and that adding a threat of prosecution would only make researchers distrust the company. Former Microsoft employee Kevin Beaumont called the situation a dumpster fire of the company’s own making, per DoublePulsar.
The backlash echoes long-running tensions in the security community. Bug bounty programs now pay six-figure rewards for privately disclosed flaws, a shift from the “No More Free Bugs” campaign of 2009. But when researchers feel burned by the process — as bug bounty platforms themselves drown in AI-generated submissions — some go public. The zero-day debate also mirrors recent concerns after an AI agent discovered an unpatched RCE flaw affecting 30% of the web.
FAQ
Who is Nightmare Eclipse?
A security researcher who published 6 unpatched Microsoft zero-days after claiming the company revoked their bug-reporting access.
What zero-days were disclosed?
BlueHammer, RedSun, UnDefend, and YellowKey — flaws affecting Windows Defender, BitLocker, and other Microsoft products.
Has the exploit code been used in attacks?
Yes. CISA ordered federal agencies to patch BlueHammer, and Huntress observed three of the exploits during a live intrusion.
What does Microsoft want?
The company wants researchers to follow coordinated vulnerability disclosure and warns its Digital Crimes Unit may pursue legal action against those who do not.
CISA’s emergency directive on BlueHammer was issued May 2026.
