zero-day vulnerability disclosure MSRC security research Microsoft

Microsoft Threatened a Security Researcher With Criminal Charges. It Did Not Go Well.

3 June 2026

An anonymous security researcher known as "Nightmare-Eclipse" published six zero-day exploits for unpatched Windows vulnerabilities after claiming Microsoft failed to address the reported bugs, prompting Microsoft's Security Response Center to condemn the actions and hint at potential criminal prosecution. This sparked widespread backlash from the cybersecurity community, with prominent researchers arguing that threatening legal action against security researchers discourages responsible disclosure and pushes researchers toward selling vulnerabilities to malicious actors instead. Microsoft subsequently walked back its position, clarifying it had no intention of pursuing action against researchers conducting legitimate security research.

Microsoft has spent the last week in damage control after its own security response team managed to alienate large chunks of the infosec community in a single blog post.

The backstory: an anonymous researcher going by 'Chaotic-Eclipse' or 'Nightmare-Eclipse' has been on a months-long campaign of publishing uncoordinated zero-day disclosures. It started in April with a proof-of-concept exploit for a Windows Defender privilege-escalation flaw called BlueHammer (CVE-2026-33825), followed shortly by two more, RedSun and Undefend. All three were quickly picked up and exploited in the wild. The researcher's stated motivation was frustration with Microsoft's handling of the reported bugs, claiming the company had simply refused to act.

The drops continued into May, with three further vulnerabilities published under the names YellowKey, GreenPlasma, and MiniPlasma. Six zero-days in total, each one an implicit accusation that Microsoft's vulnerability triage process is broken.

Microsoft's Security Response Center (MSRC) eventually responded in a blog post, condemning what it called 'uncoordinated disclosures' and warning that its Digital Crimes Unit would 'continue bringing cases against these actors and those that enable their criminal activity.' The line about coordinating with law enforcement worldwide was not subtle. The community read it as a direct threat against Nightmare-Eclipse and, potentially, any other researcher with the nerve to publish unpatched bugs publicly.

The backlash was swift and not particularly polite.

Katie Moussouris, who more or less invented modern vulnerability disclosure programmes and runs Luta Security, pointed out that publishing zero-days is nowhere near the worst thing a researcher can do. Non-disclosure is worse. And what pushes researchers toward non-disclosure? Vendor threats, exactly like the one Microsoft had just issued. When vendors weaponise legal processes, researchers do not suddenly become cooperative. They go quiet, sell to brokers, or disappear entirely. None of those outcomes benefit Microsoft's customers.

BugCrowd founder Casey Ellis called Microsoft's approach 'an insanely myopic move, especially after all of the investment they've made into presenting a secure, transparent, and research-friendly face to the market.' Andrew Case at Volexity said MSRC had just torched a decade's worth of built-up goodwill with a single post. VX-Underground, which knows the research underground rather well, suggested Microsoft had pushed things to a tipping point.

Others used the moment to air older grievances. Gabriel Landau, formerly of Elastic, wrote up a detailed account of reporting a Device Guard bypass to Microsoft, watching it get quietly patched in a Patch Tuesday update, and then being told it didn't meet the threshold for a CVE. 'The interaction left such a bad taste in my mouth that I don't really feel like interacting with them again,' he wrote.

Microsoft blinked. On Sunday evening the company issued a follow-up statement clarifying that it has no intention of pursuing legal action against researchers conducting or publishing security research, and that any law enforcement coordination would be reserved for genuinely malicious activity causing real customer harm. The original blog post's tone was, diplomatically speaking, not that.

There is a broader context worth flagging. The vulnerability disclosure ecosystem is under strain right now, partly because AI tooling has made it easier to generate plausible-sounding bug reports en masse. Vendors including Microsoft are reportedly drowning in low-quality submissions, many of which appear to have been drafted with LLMs rather than actual analysis. Ellis described it as 'triage stress,' warning that the pressure to filter the noise risks causing real vulnerabilities to get dismissed alongside the garbage.

Meanwhile, Nightmare-Eclipse is not done. Last Friday the researcher announced that other researchers had independently handed over additional vulnerabilities, with more drops apparently planned. A post from the previous week made a pointed reference to July 14th as a date Microsoft should mark in its calendar. Whether that is a genuine threat or theatre is unclear, but six exploited zero-days in two months suggests the researcher is not bluffing.

Microsoft declined to comment further beyond the Sunday statement.