Microsoft Faces Backlash Over Threat of Criminal Probe Against Security Researcher

Microsoft is facing growing criticism after indicating it may pursue legal action and involve law enforcement following an independent security researcher’s public disclosure of several unpatched vulnerabilities. The dispute has reignited a longstanding debate within the cybersecurity community regarding the obligations researchers have when uncovering flaws in products developed by major technology companies.

On Wednesday, Microsoft published a blog post criticising a researcher known online as “Nightmare Eclipse” for publicly releasing information about several vulnerabilities, along with proof-of-concept exploit code. The disclosed flaws included BlueHammer, RedSun, UnDefend, and YellowKey, which affected Microsoft products such as the built-in Windows antivirus platform Defender and the BitLocker disk encryption system.

At the centre of Microsoft’s criticism is the claim that the researcher did not follow a process that would have allowed the company to address the issues before disclosure. Microsoft argued that reporting the vulnerabilities privately would have represented a more “responsible” course of action. The company also contended that publishing technical details and exploitation methods before patches were available may have assisted malicious actors.

According to Microsoft, some of the vulnerabilities released by Nightmare Eclipse have since been leveraged in real-world attacks. The company said the assessment is supported by findings from both Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” Microsoft wrote. The company’s Digital Crimes Unit is responsible for protecting Microsoft through a combination of civil litigation, criminal referrals, technical responses, and public-private partnerships, according to information published by the organisation.

In a series of blog posts published over the past few weeks, Nightmare Eclipse claimed to have previously communicated with Microsoft. Still, it is alleged that the company treated them unfairly during the process. Among the complaints was the claim that Microsoft revoked access to the researcher’s Microsoft Security Response Centre account, the platform security researchers use to report vulnerabilities directly to the company.

The researcher suggested that public disclosure became the only remaining option. By releasing details before Microsoft issued fixes, the vulnerabilities effectively became zero-days, a term used to describe security flaws that are unknown to the affected vendor when they are disclosed or exploited.

The vulnerabilities were published on both GitHub, which Microsoft owns, and GitLab. Accounts associated with the researcher have since been suspended from those platforms.

Neither Microsoft nor Nightmare Eclipse responded to requests for comment.

Cybersecurity Experts Warn About Potential Consequences

The dispute has revived a controversial conversation that has existed within the cybersecurity industry for decades: What responsibility do independent researchers have to ensure vulnerabilities are fixed, and how much effort should they be expected to invest in persuading large companies to address security flaws?

One aspect of that discussion has largely been settled. Today, it is widely accepted that researchers deserve financial compensation for identifying and reporting security issues. While that idea may seem obvious now, it emerged only after years of advocacy, including the “No More Free Bugs” campaign launched in 2009. Nearly two decades later, bug bounty programs have become standard practice across much of the technology industry, with rewards often reaching six figures or more for responsibly disclosed vulnerabilities.

In response to the latest conflict involving Nightmare Eclipse, many security researchers have publicly shared their own frustrations with Microsoft’s vulnerability disclosure process. A significant portion of the cybersecurity community has voiced concern about how the company is handling the situation.

Among the critics is Katie Moussouris, founder of Luta Security and a cybersecurity veteran who helped pioneer bug bounty programs at Microsoft in the mid-to-late 2000s. Moussouris was also instrumental in encouraging Microsoft to move away from the phrase “responsible disclosure” in favour of “coordinated disclosure.”

“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris said in reference to Microsoft’s blog post. “Adding a threat of prosecution by mentioning the Digital Crimes Unit was over the top and will only result in security researchers distrusting Microsoft.”

Moussouris warned that reduced trust between researchers and Microsoft could discourage people from reporting vulnerabilities in the future, ultimately making the broader technology ecosystem less secure.

“If researchers lose trust in Microsoft, fewer people may come forward with important findings, making it less safe for all of us,” she said.

Security researcher and former Microsoft employee Kevin Beaumont also criticised the company’s position in a blog post, describing the situation as “a dumpster fire of its own making.”

“Proof-of-concept exploit creation and distribution for zero-days is ‘criminal activity’ now?” Beaumont wrote. “Responsible disclosure is often framed in a way that protects the vendor rather than the customer, and attempting to use that concept to support criminal prosecution is a new low.”

The disagreement highlights the continuing tension between software vendors and independent security researchers, particularly when questions arise over disclosure practices, accountability, and the balance between public safety and corporate responsibility.