Microsoft is threatening legal action and law enforcement involvement after security researcher “Nightmare Eclipse” published unpatched bugs and exploit code for Microsoft products. The company said the researcher failed to report the flaws for fixes and publicly disclosed them before patches, which Microsoft and CISA said may have aided malicious actors and enabled real-world attacks.
Vulnerabilities And Products Affected
The disclosed bugs include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), and YellowKey (CVE-2026-45585). These flaws affected Microsoft Defender antivirus and BitLocker disk encryption, among other products.
Microsoft’s Position On Disclosure
Microsoft’s blog post criticized the researcher for not attempting responsible reporting through the Microsoft Security Response Center prior to publication. The company argued that publishing exploit details before patches helped attackers and that its Digital Crimes Unit will pursue civil legal actions and criminal referrals in coordination with law enforcement globally.
Researcher’s Claim Of Misconduct
Nightmare Eclipse said in a series of blogs that they contacted Microsoft but were mistreated and had their MSRC account revoked, leaving them no choice but to publish the vulnerabilities publicly. The researcher posted bugs and exploit code on GitHub and GitLab; Microsoft subsequently banned the accounts.
Debate Over Researcher Responsibility
The incident reignites debate over whether independent researchers have a duty to coordinate disclosure so vendors can fix vulnerabilities. The cybersecurity community widely agrees researchers should be paid for their work, and bug bounty programs now often offer six-figure rewards for private disclosures and coordinated publishing after fixes.
Community Backlash Against Microsoft
Countless researchers shared negative experiences reporting bugs to Microsoft, and many expressed distrust of the company’s approach. Katie Moussouris, who helped pioneer Microsoft’s bug bounties and shift to coordinated disclosure, criticized invoking “responsible” disclosure and threatening prosecution as over the top and likely to chill future reporting.
Additional Criticism From Veteran Researchers
Kevin Beaumont, a security researcher and former Microsoft employee, called the company’s stance a self-made “dumpster fire” and argued that framing proof-of-concept exploit creation as criminal activity sets a dangerous precedent. He said responsible disclosure often protects product owners more than customers and that prosecuting researchers in this way is a new low.
Featured image credits: Wikimedia Commons
For more stories like it, click the +Follow button at the top of this page to follow us.