TL;DR
Microsoft threatened legal action against a researcher who published unpatched Defender and BitLocker bugs. Veterans warn of a chilling effect.
Microsoft published a blog post on Wednesday criticising a security researcher known as “Nightmare Eclipse” for publicly disclosing a series of unpatched vulnerabilities in Windows Defender and BitLocker. The company then invoked its Digital Crimes Unit, which handles criminal referrals and law enforcement coordination. The cybersecurity community responded with outrage.
The bugs, named BlueHammer, RedSun, UnDefend, and YellowKey, affect Microsoft’s built-in antivirus engine and disk-encryption tool. The researcher published exploit code on GitHub (owned by Microsoft) and GitLab without giving Microsoft time to patch. Some of the vulnerabilities have since been exploited by attackers in real-world attacks, according to Microsoft and CISA.
Microsoft’s position is that the researcher should have reported the bugs privately so the company could fix them before public disclosure. The company called this “responsible” disclosure. Its blog post warned that its Digital Crimes Unit “will continue bringing cases against these actors and those that enable their criminal activity.”
Nightmare Eclipse tells a different story. In a series of blog posts published over the past two weeks, the researcher claimed to have been in contact with Microsoft. The company allegedly revoked access to their Microsoft Security Response Center account, the portal where researchers submit vulnerability reports.
The researcher’s implication was that they had no choice but to publish the vulnerabilities publicly. At the point of publication, the bugs were zero-days: flaws unknown to the software maker at the time they are disclosed or exploited. The researcher’s GitHub and GitLab accounts have since been banned.
Neither Nightmare Eclipse nor Microsoft responded to TechCrunch’s request for comment.
Cybersecurity veterans have responded with sharp criticism. Katie Moussouris, founder of Luta Security and the person who pioneered Microsoft’s own bug bounty programme in the mid-2000s, said the company’s language was inflammatory. “Invoking the term ‘responsible’ disclosure was the first strike,” she told TechCrunch. “Adding a threat of prosecution by mentioning DCU was over the top.”
Moussouris warned the consequences could extend beyond this case. “It will only result in security researchers distrusting Microsoft,” she said. Fewer researchers coming forward to report bugs “makes it less safe for all of us.”
Kevin Beaumont, a security researcher and former Microsoft employee, called the company’s position “a dumpster fire of its own making.” He wrote: “Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now? Responsible disclosure quite often is framed to protect the product owner, not the customer.”
The debate over disclosure is decades old but not fully resolved. The industry consensus is “coordinated disclosure“: researchers report bugs privately, companies fix them, and the details are published once a patch is available. Moussouris herself convinced Microsoft to adopt this language while working there, replacing the term “responsible disclosure,” which researchers viewed as framing the company’s interests as the moral default.
Microsoft’s decision to revert to “responsible” language and threaten criminal referrals is a significant step backwards. Bug bounty programmes exist because the industry learned, through years of adversarial relationships, that paying researchers to disclose privately is cheaper and safer than ignoring them until they go public. Most companies now pay six-figure bounties for critical vulnerabilities.
Anthropic’s Project Glasswing found 10,000 critical vulnerabilities in one month across open-source software, and only 97 have been patched. The gap between discovery and remediation is widening across the industry. Threatening the people who find the bugs does not close that gap. It widens it.
The AI security landscape is creating new categories of vulnerability faster than companies can address them. OpenClaw’s Claw Chain exploit, Taiwan’s TETRA rail hack, and now Microsoft’s own products all illustrate the same dynamic: the attack surface is growing, the researchers who map it are essential, and alienating them has consequences.
The practical question is what happens when a researcher finds a critical bug, reports it through the proper channel, and the company revokes their account. If Nightmare Eclipse’s account of the MSRC revocation is accurate, Microsoft created the conditions for the public disclosure it is now condemning. If it is not accurate, Microsoft has not said so.
The chilling effect Moussouris described is already visible. Countless researchers shared their own negative experiences reporting bugs to Microsoft in response to the blog post. A company that depends on external researchers to find flaws in products used by more than a billion people is telling those researchers that finding flaws could lead to criminal prosecution. The message is clear. Whether it is wise is another question entirely.
