Microsoft threatened a security researcher with criminal charges, and the cybersecurity community isn't having it

A public dispute between Microsoft and security researcher Nightmare Eclipse has escalated into a full-scale backlash from the cybersecurity community, after Microsoft threatened criminal prosecution over a series of uncoordinated zero-day disclosures.

Between early April and mid-May 2026, Nightmare Eclipse published proof-of-concept exploit code for six Windows vulnerabilities without coordinating with Microsoft. Three of those, BlueHammer, RedSun, and UnDefend, were confirmed as being used in live attacks shortly after going public, prompting emergency patches and CISA adding them to its Known Exploited Vulnerabilities catalog. Three others, YellowKey, GreenPlasma, and MiniPlasma, remain unpatched.

Following these discoveries, Microsoft published a formal blog post describing uncoordinated disclosures as "never justifiable" and warning its Digital Crimes Unit could pursue criminal charges against those responsible. The company also had Nightmare Eclipse's GitHub account suspended around May 23, followed by their GitLab account between May 26 and 27.

2

Nightmare Eclipse disputes the framing entirely. The researcher claims Microsoft deleted the Security Response Center account used to file the original bug reports and refused further contact. "You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so," the researcher wrote publicly.

The security industry is largely not siding with Microsoft, either. Security researcher Katie Moussouris publicly criticized the blog post, saying the prosecution threat would push researchers away from trusting Microsoft and ultimately make things less safe for everyone. Kevin Beaumont, a former Microsoft security engineer, called the situation "a dumpster fire of their own making," noting that Microsoft previously hired researchers who had published zero-days without warning, the same behavior it now describes as criminal.

Microsoft's position is that uncoordinated disclosures like these put exploit code into the hands of bad actors before patches are ready, causing real harm to customers. Researchers counter that vendors often ignore or indefinitely delay fixing reported vulnerabilities until public pressure forces their hand, leaving the coordinated disclosure model feeling one-sided.

For now, the takeaway is that three vulnerabilities remain unpatched amid this duel, and administrators should treat YellowKey, GreenPlasma, and MiniPlasma as active risks. YellowKey, in particular, is a zero-day exploit that bypasses Windows 11's default TPM-based BitLocker protection, allowing attackers with physical access to unlock encrypted drives without a recovery key.