Microsoft has responded to backlash over its threats of legal action against researchers who publicly disclose zero-day vulnerabilities without coordinated notification.
The controversy concerns a researcher known online as Chaotic Eclipse and Nightmare Eclipse, who in recent weeks disclosed the details and proof-of-concept (PoC) exploits for several unpatched vulnerabilities affecting Microsoft products.
Details remain unknown, but it appears there was a disagreement between the researcher and Microsoft during a vulnerability disclosure process. The researcher then decided to release the details of several vulnerabilities that had not been reported to Microsoft.
The list includes RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), BlueHammer (CVE-2026-33825), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma.
Most of these vulnerabilities can be exploited to escalate privileges. YellowKey allows an attacker to bypass BitLocker protection, and UnDefend is a Microsoft Defender denial-of-service (DoS) vulnerability.
Microsoft has begun releasing patches and mitigations for the vulnerabilities, but several have already been exploited in the wild, including BlueHammer, RedSun, and UnDefend.
The researcher has expressed deep disgruntlement with Microsoft, accusing the company of humiliating them, ignoring their communications, failing to compensate them for reported vulnerabilities, and publicly defaming them.
Microsoft, on the other hand, is unhappy with Nightmare Eclipse’s approach, saying the researcher exposed customers to unnecessary risk.
The company disabled the researcher’s account on its vulnerability reporting portal and on GitHub, where the PoC exploits had been released and which Microsoft owns.
“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,” Microsoft said in a blog post dated May 27.
The tech giant added, “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”
This remark sparked discussion and backlash, with some members of the cybersecurity community viewing it as a threat of legal action for disclosing unpatched vulnerabilities.
“I’m deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero days in the products,” researcher Kevin Beaumont commented.
Florian Roth, head of research at Nextron Systems, noted, “Maybe Nightmare Eclipse was unreasonable. Maybe Microsoft was. Maybe both. But I think Microsoft badly misjudged this situation.”
“When you’re the largest software vendor on the planet, you don’t get to behave like an angry individual in an internet argument. You have to be the adult in the room,” Roth added. “Deleting repositories, talking about criminal investigations and turning the whole thing into a public fight was a mistake. The damage from that goes far beyond this one researcher.”
In response to the backlash, Microsoft issued clarifications via X on June 1. The company affirmed its deep appreciation for the security research community and acknowledged that relationships between researchers and vendors can sometimes be challenging.
“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research,” Microsoft said. “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”
It added, “The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”
In response to Microsoft’s post, Nightmare Eclipse suggested on X that the company did file legal action against them over the disclosures.
The researcher plans on releasing a full BitLocker bypass later this month.
Related: Oracle WebLogic Vulnerability Exploited in the Wild
Related: Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
