Microsoft warned a security researcher of potential criminal charges, sparking outrage within the cybersecurity community.

Microsoft warned a security researcher of potential criminal charges, sparking outrage within the cybersecurity community.

      TL;DR Microsoft has threatened legal action against a researcher who revealed unpatched vulnerabilities in Defender and BitLocker, prompting warnings from veterans about a potential chilling effect.

      On Wednesday, Microsoft criticized a security researcher known as “Nightmare Eclipse” for disclosing unpatched vulnerabilities in Windows Defender and BitLocker. The company invoked its Digital Crimes Unit, which deals with criminal referrals and law enforcement. This sparked outrage within the cybersecurity community.

      The vulnerabilities, labeled BlueHammer, RedSun, UnDefend, and YellowKey, impact Microsoft's antivirus and disk encryption software. The researcher released exploit code on GitHub and GitLab without allowing Microsoft time to address the issues. Some of these vulnerabilities have reportedly been exploited by attackers in live attacks, according to Microsoft and CISA.

      Microsoft argues that the researcher should have reported the vulnerabilities privately to allow for fixes before they were publicly disclosed, which the company terms "responsible" disclosure. Their blog post warned that their Digital Crimes Unit "will continue bringing cases against these actors and those who facilitate their criminal activities."

      However, Nightmare Eclipse presents a different perspective. In several recent blog posts, the researcher claimed to have had contact with Microsoft, alleging that the company revoked their access to the Microsoft Security Response Center, where vulnerabilities are usually reported.

      The researcher suggested that they felt compelled to make the vulnerabilities public. At the time of publication, the flaws were zero-days—unknown to the software maker when disclosed or exploited. Since then, Nightmare Eclipse's GitHub and GitLab accounts have been banned.

      Neither Nightmare Eclipse nor Microsoft replied to TechCrunch's request for comments.

      Veterans in cybersecurity have voiced strong criticism. Katie Moussouris, the founder of Luta Security and a pioneer of Microsoft’s bug bounty program in the mid-2000s, described the company's language as provocative. She remarked that referencing "responsible" disclosure was the initial issue, and mentioning potential prosecution via the DCU was excessive.

      Moussouris cautioned that this could have broader implications. “It will only result in security researchers distrusting Microsoft,” she mentioned. A decline in researchers reporting bugs “makes it less safe for all of us.”

      Kevin Beaumont, a security researcher and former Microsoft employee, labeled the company's stance as a "dumpster fire of its own making." He emphasized, “Is creating and sharing proof of concept exploits for zero-days considered ‘criminal activity’ now? Responsible disclosure often tends to protect the product owner over the customer."

      The conversation surrounding disclosure has persisted for decades without a complete resolution. The industry generally supports “coordinated disclosure”: researchers privately report bugs, companies fix them, and details are shared once patches are available. Moussouris played a role in convincing Microsoft to adopt this terminology during her tenure, replacing “responsible disclosure,” which many researchers felt prioritized the interests of the company.

      Microsoft’s shift back to using “responsible” terminology and the threat of legal action marks a significant regression. Bug bounty programs exist because the industry has learned that compensating researchers for private disclosures is more cost-effective and safer than ignoring them until public release. Nowadays, many companies offer six-figure bounties for critical vulnerabilities.

      Anthropic’s Project Glasswing recently identified 10,000 critical vulnerabilities in a month across open-source software, of which only 97 have been addressed. The gap between finding vulnerabilities and fixing them is widening within the industry. Threatening those who discover these issues only exacerbates that gap.

      The AI security landscape is generating new types of vulnerabilities at a pace that companies struggle to keep up with. Exploits like OpenClaw’s Claw Chain, Taiwan’s TETRA rail hack, and vulnerabilities in Microsoft products demonstrate the growing attack surface, the importance of researchers, and the consequences of alienating them.

      The pressing issue arises when a researcher uncovers a significant bug, reports it through official channels, and the company then revokes their account. If Nightmare Eclipse's account of the MSRC account revocation is true, Microsoft set the stage for the public disclosure it now criticizes. If not, Microsoft has refrained from clarifying.

      The chilling effect Moussouris warned about is already apparent. Numerous researchers have recounted their unfavorable experiences reporting bugs to Microsoft in response to the blog post. A company reliant on external researchers to find flaws in products used by over a billion individuals is conveying that reporting these flaws could result in criminal charges. The message is unmistakable; whether it is prudent is another matter entirely.

Other articles

Parloa invests $350 million through collaborations with SAP, Microsoft, and OpenAI. Parloa invests $350 million through collaborations with SAP, Microsoft, and OpenAI. Parloa, established in Berlin, is broadening its AI agent platform by forming strategic partnerships with SAP, Microsoft, OpenAI, Five9, and Epic, following the successful raising of $350 million at a valuation of $3 billion. Parloa invests $350 million through partnerships with SAP, Microsoft, and OpenAI. Parloa invests $350 million through partnerships with SAP, Microsoft, and OpenAI. Parloa, established in Berlin, is enhancing its AI agent platform by forming strategic partnerships with SAP, Microsoft, OpenAI, Five9, and Epic, following a successful fundraising of $350 million at a valuation of $3 billion. HeartFocus Link integrates AI cardiac ultrasound with any cart system. French medtech company DESKi has introduced HeartFocus Link, which integrates AI-guided cardiac imaging into any cart-based ultrasound system through a tablet and HDMI connection, addressing the worldwide shortage of sonographers. Dell reinforces its commitment to 5G cellular connectivity for its high-end business laptops in the US. Dell reinforces its commitment to 5G cellular connectivity for its high-end business laptops in the US. Dell's pre-Computex 2026 laptop announcement features 5G cellular connectivity as a key focus of its high-end range. SpaceX has recently secured its second Golden Dome contract, valued at $4.16 billion. SpaceX has recently secured its second Golden Dome contract, valued at $4.16 billion. Two days after securing a $2.29 billion backbone contract, the Space Force granted SpaceX the AMTI satellite deal. SpaceX's total for Golden Dome projects now amounts to $6.45 billion. Nvidia acquired Groq for $20 billion and recruited its leading engineers. Now, Groq is looking to raise $650 million for its remaining resources. Nvidia acquired Groq for $20 billion and recruited its leading engineers. Now, Groq is looking to raise $650 million for its remaining resources. Groq's current investors were bought out in what's known as a not-acqui-hire. They have now been requested to reinvest $650 million into the remaining inference cloud operations.

Microsoft warned a security researcher of potential criminal charges, sparking outrage within the cybersecurity community.

A researcher disclosed unaddressed vulnerabilities in Defender and BitLocker following an alleged account revocation by Microsoft. In response, Microsoft activated its Digital Crimes Unit.