A fierce debate over vulnerability reporting has been reignited across the global cybersecurity ecosystem. Microsoft is facing significant backlash from the threat intelligence community after releasing a statement that strongly implies potential criminal prosecution against a pseudonymous security researcher. The researcher, operating under the handles “Nightmare Eclipse” and “Chaotic Eclipse,” has spent the past two months publicly dropping unpatched Windows zero-day vulnerabilities alongside functional proof of concept (PoC) exploit code.
The conflict highlights an increasingly volatile relationship between independent bug hunters and major technology vendors. Over the past several weeks, Nightmare Eclipse bypassed standard industry reporting channels to drop six severe Windows flaws codenamed BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma.
According to advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), three of these flaws have already been observed in live, real-world intrusions.
In an official public response, the Microsoft Security Response Center (MSRC) condemned the rogue disclosures, warning that unauthorized transparency actively harms end users.
“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have realworld consequences,” Microsoft stated.
However, it was the tech giant’s subsequent warning regarding legal escalation that triggered widespread outrage among security professionals, “Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity, coordinating as needed with law enforcement around the world.”
To many in the industry, utilizing the Digital Crimes Unit to target an individual publishing code crosses an unacceptable line, effectively attempting to criminalize non-compliance with corporate reporting guidelines.
A One Sided Contract, The Researcher’s Grievances
While the security community largely agrees that dropping live exploits puts public infrastructure at risk, many argue that Microsoft’s own internal failures drove the researcher to extremes. On their personal blog, Nightmare Eclipse claimed they initially tried to play by the rules, but were met with corporate hostility, withheld bounty payments, and deleted communication accounts.
“They mopped the floor with me and pulled every childish game they could,” the researcher wrote. “It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.”
Defending their decision to leak the exploits for free rather than selling them to cybercriminals, the researcher added, “I could have made some insane cash selling this but no amount of money will stand between me and my determination against Microsoft.”
Following the initial leaks, Microsoft used its ownership of GitHub, and coordinated with GitLab, to scrub the researcher’s repositories and permanently ban their accounts. The digital eviction only exacerbated the situation, leading Nightmare Eclipse to issue a stark warning for July 14 Microsoft’s scheduled Patch Tuesday, “Microsoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible… I will make sure your bones are shattered that day”
Prominent cybersecurity figures have quickly pointed out that Coordinated Vulnerability Disclosure (CVD) is meant to be a two way street, accusing Microsoft of treating independent researchers like adversaries rather than partners.
Katie Moussouris, CEO of Luta Security and the original architect of Microsoft’s bug bounty program, noted that the tech giant’s framing of the situation shifts blame away from their own platform management. She warned that aggressive corporate posturing historically yields dangerous results, noting that while dropping zero-days is deeply problematic, “Non-disclosure is far worse. What drives researchers toward non-disclosure? Threats from vendors.”
Kevin Beaumont, a prominent security researcher and former Microsoft employee, expressed deep concern over the precedent Redmond is trying to set.
“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” Beaumont remarked. “By continually removing just exploits for their own products from GitHub and declaring ‘criminal activity,’ it’s a Rubicon you shouldn’t cross.”
Beaumont further questioned the legal validity of Microsoft’s threats, adding, “If Microsoft’s tactic is to try to criminalize not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”
Other engineering professionals echoed these sentiments, emphasizing that tech conglomerates cannot bully the global research community into submission. Eric Warnke, a support engineer at Nvidia, summed up the industry sentiment cleanly, “You cannot compel independent security researchers. You can only make it more or less attractive to work with you. Microsoft made it less attractive, and now they’re writing blog posts about shared responsibility. That’s a CYA, not a bug program designed to encourage reporting.
As the July deadline approaches, the situation remains a stark reminder that the digital safety of the global ecosystem relies entirely on mutual respect between the entities writing the software and the independent minds finding its cracks.
