Finding bugs in Microsoft products used to come with a clear social contract. You find it, you report it privately, you wait for a fix, then you publish. Microsoft gets to patch quietly. You get credit and maybe a bug bounty. Nowadays that contract seem to get complicated.
A researcher going by Nightmare Eclipse published a series of unpatched vulnerabilities in Microsoft products including Windows Defender and BitLocker, along with working exploit code, without giving Microsoft a chance to fix them first. Microsoft responded with a blog post threatening criminal referrals and invoking its Digital Crimes Unit.
The cybersecurity community, the same community Microsoft depends on to find these bugs before actual criminals do, reacted about as well as you’d expect.
What actually happened
Nightmare Eclipse, who has released six Windows zero-days over the past several weeks, claims they did try to work with Microsoft. According to posts the researcher published, Microsoft revoked their Microsoft Security Response Center account, the official portal researchers use to report vulnerabilities privately. With that channel closed, reporting future vulnerabilities became practically impossible.
“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of your people,” Nightmare wrote in one post. “You defame me in public even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so.”
Microsoft’s position is that none of the vulnerabilities, RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, were reported through official channels before going public. Three of them, BlueHammer, RedSun, and UnDefend, were being actively exploited in real attacks within hours of Nightmare publishing working exploit code.
Microsoft did not answer questions from press about whether it revoked Nightmare’s MSRC account, whether the researcher is a current or former employee, or whether its legal team planned to take action. The silence on those specific questions is its own kind of answer.
Why this backfires on Microsoft
Dustin Childs, who spent seven years at Microsoft security and now leads bug hunting at Zero Day Initiative, told The Register that Microsoft could have handled this better and questioned what happened between the two parties to reach this point.
“CVD is a two-way street,” Childs said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”
Katie Moussouris, who pioneered Microsoft’s bug bounty program and later founded Luta Security, told The Register the company’s response sends mixed messages. The blog post claims their program ensures researchers are compensated and publicly acknowledged, while simultaneously responding to a researcher who says he received neither compensation nor acknowledgment.
“The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional,” Moussouris said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it’s hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.”
Kevin Beaumont, a security researcher and former Microsoft employee, wrote on Medium that Microsoft’s position was a dumpster fire of its own making. His sharpest point wasn’t about Nightmare Eclipse specifically. It was about Microsoft’s history.
In 2019 Microsoft publicly hired a hacker called SandboxEscaper after she published zero-day proof of concept exploits for Microsoft products without coordination. The same behavior Microsoft’s blog now describes as potentially criminal activity is something Microsoft previously rewarded with a job offer. That’s a difficult contradiction to defend in public and an even harder one to defend in court.
“If Microsoft’s tactic is to try to criminalise not following often arbitrary responsible disclosure frameworks, good luck defending that in court,” Beaumont wrote, “because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.”
You May Like: The $500K AI Film That ‘Premiered at Cannes’ Didn’t Actually Premiere at Cannes
The debate this reopens
Moussouris framed the power imbalance clearly when speaking to The Register. The researcher’s GitHub account was deleted. Payments were withheld. Credit was stripped. Then Microsoft publicly accused them of violating coordinated disclosure after closing the channel they needed to coordinate through.
“This is a David and Goliath dynamic we don’t like to see play out,” Moussouris said, “especially since it’s users who lose when coordination negotiations fail.”
Childs added that this isn’t an isolated problem. Researchers have been complaining about Microsoft’s disclosure process for years and the situation is getting worse not better.
“While some companies have improved, Microsoft has not,” Childs told The Register. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”
That last sentence is the one Microsoft should be most worried about. Researchers stopping means bugs don’t get found through friendly channels. They get found by people who don’t tell Microsoft anything.
What this means for the people actually running Windows
Nightmare Eclipse has promised a “bone shattering” drop on July 14. Whether that happens or not, the damage from the first six vulnerabilities is already documented. Three of them were being exploited in real attacks within hours of the exploit code going public. One systems engineer described one person causing more enterprise level damage in six weeks than most advanced persistent threat groups cause in a year.
That’s the practical consequence of disclosure going wrong. Actual attacks on actual systems because a vulnerability went public without a patch ready.
Childs told The Register that Microsoft needs to do better at communicating to customers what the real risks from these bugs are and how they can defend themselves. That clear direction is currently missing.
It’s missing because Microsoft spent its energy writing a blog post threatening criminal referrals instead of publishing mitigation guidance. Three vulnerabilities are still unpatched. YellowKey, GreenPlasma, and MiniPlasma have no fixes and Microsoft considers exploitation of YellowKey more likely given the working proof of concept that’s already out there.
The people who lose when this kind of breakdown happens aren’t the researchers or Microsoft’s legal team. They’re the IT administrators scrambling to assess exposure and the regular users who have no idea any of this is happening. The bugs are Microsoft’s, as Moussouris told The Register. They wrote the code and they own the risk to customers.
Threatening the people who find those bugs is a strange way to make that risk smaller.
