Microsoft Threatens Security Researcher With Criminal Investigation Over Zero-Day Disclosures

Microsoft has set off a firestorm in the cybersecurity world after threatening legal action against a researcher who published a string of unpatched vulnerabilities, complete with working exploit code. The threat reopened an old wound in the security community: what duty, if any, do independent researchers owe to the wealthy tech giants whose products they probe? The answer isn't as settled as Microsoft would like it to be.

What Sparked the Microsoft Security Researcher Dispute

A researcher operating under the handle "Nightmare Eclipse" recently went public with several flaws affecting Microsoft products, releasing not just the bug details but the code needed to exploit them. The affected products were no small fry. They included Defender, the antivirus engine baked into Windows, and BitLocker, Microsoft's disk-encryption tool. The disclosed vulnerabilities carried names like BlueHammer, RedSun, UnDefend, and YellowKey.

On Wednesday, Microsoft fired back with a blog post taking the researcher to task for going public instead of quietly reporting the bugs. The company's central grievance is that Nightmare Eclipse never gave Microsoft a chance to patch the flaws before exposing them. That, Microsoft argued, would have been the "responsible" thing to do. The deeper worry is that by handing out exploit instructions for unpatched bugs, the researcher essentially gave malicious hackers a roadmap. And according to both Microsoft and the U.S. cybersecurity agency CISA, some of those vulnerabilities have already turned up in real-world attacks.

The Threat of Criminal Referral

The line that really lit the fuse came when Microsoft invoked its Digital Crimes Unit. "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world," the company wrote. The unit's stated job is protecting Microsoft through a mix of civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships. Framing a security researcher's work as something that might warrant a criminal referral was, to many in the field, a bridge too far.

Two Sides of the Disclosure Story

Nightmare Eclipse tells a different version of events. In a series of blog posts over the past couple of weeks — though light on specifics — the researcher claimed to have actually been in contact with Microsoft, only to be mistreated. Part of that alleged mistreatment included having their Microsoft Security Response Center account revoked, which is the very portal researchers use to report vulnerabilities in the first place. The implication was clear: with that door slammed shut, going public was the only path left. And once those flaws went public without a fix in place, they became zero-days, a term reserved for security holes unknown to the software maker at the moment they're disclosed or exploited.

The researcher posted the bugs on GitHub, which Microsoft happens to own, and on GitLab. Both accounts have since been banned. Neither Nightmare Eclipse nor Microsoft responded to requests for comment.

A Long-Running Debate Over Vulnerability Disclosure

This spat dragged a thorny old question back into the spotlight. Do independent researchers have a duty to make sure the bugs they find actually get fixed? And if so, how far are they obligated to go to push reluctant companies into action?

What's Already Settled

One piece of this debate is no longer up for argument: researchers deserve to be paid for what they find. It sounds obvious now, but getting there took years of fighting, captured in a 2009 campaign called "No More Free Bugs." Nearly two decades later, paying out "bug bounties" is standard practice across companies big and small, with rewards that can climb into six figures or beyond for researchers who report bugs privately and coordinate the public reveal until after a patch lands.

Where the Community Stands Now

Much of the cybersecurity world is openly frustrated with how Microsoft has handled this. After the controversy broke, a flood of researchers shared their own sour experiences reporting bugs to the company.

Among the critics is Katie Moussouris, founder of Luta Security, who carries serious weight here. While at Microsoft in the mid-to-late 2000s, she pioneered bug bounties and pushed the company away from the loaded term "responsible disclosure" toward the more neutral "coordinated disclosure." Her reaction was blunt. "Invoking the term 'responsible' disclosure was the first strike in my book," Moussouris said, adding that "adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft." She warned this could chill the whole ecosystem, with fewer people willing to come forward and report bugs, "making it less safe for all of us."

Kevin Beaumont, a security researcher and former Microsoft employee, didn't pull punches either, calling the company's position a "dumpster fire of its own making." As he put it, the idea that "proof of concept exploit creation and distribution for zero days is 'criminal activity' now?" struck him as a dangerous shift. He argued that responsible disclosure is often framed to shield the product owner rather than the customer, and using it to threaten criminal prosecution marked "a new low."