Microsoft Threatens Legal Action Against Cybersecurity Researchers Who Reported Vulnerabilities

On May 28, 2026, Microsoft's Security Response Center published a blog post titled "A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure." The post described the public release of unpatched vulnerability details as "never justifiable" and stated that Microsoft's Digital Crimes Unit would "continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world" [1][2].

The target of this language was a pseudonymous security researcher operating under the name Nightmare Eclipse, who between early April and mid-May 2026 had published six zero-day exploits targeting core Windows components — including Windows Defender and BitLocker — with working proof-of-concept code on GitHub and later GitLab [3][4]. Three of those exploits were confirmed as being used in real-world attacks within days of publication, and CISA added the first, BlueHammer, to its Known Exploited Vulnerabilities catalog in late April [5].

The fallout has split the cybersecurity world. Microsoft says it is protecting customers from reckless disclosure. The researcher says Microsoft stonewalled their reports and destroyed their accounts. And a growing chorus of security professionals — including the person who built Microsoft's original bug bounty program — says the company's legal threats will make everyone less safe.

The Six Exploits

Between April 3 and May 15, 2026, Nightmare Eclipse released the following exploits [3][6]:

• BlueHammer (CVE-2026-33825, released April 3): A local privilege escalation exploiting a time-of-check to time-of-use (TOCTOU) race condition in Windows Defender's threat remediation engine, allowing an attacker to read the SAM hive, dump NTLM password hashes, and escalate to SYSTEM privileges. Patched April 21 [6][7].
• UnDefend (CVE-2026-45498, released April 12): A denial-of-service tool targeting Defender's update mechanism. In passive mode, it silently blocks all signature updates; in aggressive mode, it fully disables Defender during platform updates. Patched May 21 [5][6].
• RedSun (CVE-2026-41091, released April 16): A privileged file write via Defender's real-time scan remediation path, allowing an attacker-controlled binary to be placed in System32 and executed as SYSTEM. Patched May 21 [5][6].
• YellowKey (CVE-2026-45585, released May 8): A BitLocker bypass for TPM-only configurations. As of May 31, unpatched [3][4].
• GreenPlasma (released May 12): A partial Windows local privilege escalation. Unpatched [3].
• MiniPlasma (released May 15): A Windows local privilege escalation reportedly exploitable on fully patched Windows 11. Unpatched [3].

Source: Barracuda Networks / BleepingComputer

Data as of May 30, 2026CSV

Huntress Labs confirmed active exploitation of BlueHammer beginning April 10, 2026 — one week after the code was posted and 11 days before Microsoft's patch. In a documented customer intrusion, attackers entered through a compromised FortiGate VPN account, ran standard reconnaissance commands, then deployed BlueHammer, RedSun, and MiniPlasma in sequence to escalate privileges [5][6].

Two Irreconcilable Accounts

The dispute between Microsoft and Nightmare Eclipse centers on a factual disagreement that neither side has fully resolved with documentary evidence.

The researcher's account: Eclipse claims to have initially followed coordinated vulnerability disclosure protocols, reporting bugs through Microsoft's Security Response Center (MSRC). According to Eclipse, Microsoft refused to communicate, declined to pay any bounty, and then deleted the MSRC account used to file the reports. "You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so," Eclipse wrote on GitLab after their GitHub account was disabled [4][8]. In a post dated May 23, Eclipse stated: "I was told personally by [Microsoft] that they will ruin my life and they did" [8][9].

Microsoft's account: Microsoft denies receiving any prior disclosure for any of the six exploits [1][2]. The MSRC blog post does not address Eclipse's specific claims about deleted accounts or withheld payments, instead framing the situation as a clear-cut case of uncoordinated disclosure that endangered customers.

Microsoft subsequently disabled Eclipse's GitHub account around May 23 and their GitLab account between May 26 and 27 [8][10]. The researcher has characterized these actions as retaliatory, while Microsoft has pointed to its platform terms of service.

The Community Backlash

The cybersecurity community's response has been overwhelmingly critical of Microsoft — though not necessarily supportive of Eclipse's methods.

Katie Moussouris, founder of Luta Security and the person who designed Microsoft's original bug bounty program in the late 2000s, objected to Microsoft's framing on multiple levels. "Invoking the term 'responsible' disclosure was the first strike in my book," Moussouris said. "Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft" [2][11]. She warned that the consequences could include fewer researchers coming forward to report bugs, "making it less safe for all of us" [11].

Kevin Beaumont, a former Microsoft security engineer and widely followed threat intelligence analyst, called the situation "a dumpster fire of their own making." Beaumont noted the contradiction in Microsoft's position: "Microsoft previously hired researchers who had published zero-days without warning, the same behavior it now describes as criminal" [10][12]. He questioned the MSRC post directly: "Proof of concept exploit creation and distribution for zero days is 'criminal activity' now?" [10].

Multiple security firms — including Trend Micro's Zero Day Initiative, Tenable, and Check Point — have documented similar frustrations with Microsoft's coordination process, though none of these firms have publicly endorsed Eclipse's approach of dropping unpatched exploit code [4].

Microsoft's Bug Bounty Program: Growth and Gaps

On paper, Microsoft runs one of the largest bug bounty programs in the industry. In fiscal year 2025 (July 2024 through June 2025), Microsoft paid a record $17 million to 344 researchers from 59 countries for 1,469 eligible vulnerability reports, with the highest individual payout reaching $200,000 [13][14]. Since 2018, the company has paid out a cumulative $75.5 million [13].

Source: Microsoft MSRC Annual Reports

Data as of Aug 7, 2025CSV

In December 2025, Microsoft expanded the program to an "In Scope by Default" model, making all Microsoft products and services eligible for bounty submissions — including third-party and open-source code — even where no formal bounty program existed [15][16]. The company also raised maximum awards for certain vulnerability classes, including up to $40,000 for .NET and ASP.NET Core flaws and increased payouts for AI-related vulnerabilities in Power Platform and Dynamics 365 [15].

Microsoft's published safe harbor terms state the company will not pursue civil or criminal action against researchers who comply with its Bug Bounty Terms and Conditions, and it waives DMCA claims for circumventing technological measures within the bounty program's scope [17].

But these protections are conditional. They apply only to researchers who follow Microsoft's specific rules. A researcher who reports through MSRC and receives no response — as Eclipse claims happened — occupies a legal gray zone. The safe harbor does not extend to public disclosure without Microsoft's consent, and the Bug Bounty Terms give Microsoft broad discretion to determine what constitutes a qualifying submission [17].

By comparison, Meta's bug bounty terms explicitly authorize researchers under the Computer Fraud and Abuse Act (CFAA) and similar laws to test in-scope products, provided they make "a good faith effort to avoid privacy violations and disruptions" [18]. Apple's program offers payouts up to $1 million for zero-click kernel code execution vulnerabilities [19]. None of these programs have been associated with criminal prosecution threats against researchers in recent memory.

The Legal Landscape: CFAA, DMCA, and the Safe Harbor Gap

Microsoft did not specify which legal mechanisms its Digital Crimes Unit might invoke, but the two primary federal statutes available are the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) [20][21].

The CFAA criminalizes accessing protected computers "without authorization," a phrase whose meaning has been contested in courts for decades. A 2017 study found that companies are broadly unwilling to grant security researchers permission to audit their products, and in a 2018 CDT report, over half of 20 academic and independent researchers interviewed identified the CFAA as a major risk factor in their work [20][21].

The DOJ updated its CFAA charging policy in 2022 to discourage prosecution of good-faith security research, and the Copyright Office has granted DMCA exemptions for security research through its triennial rulemaking process [21]. But these are policy guidance, not statutory safe harbors — they can be reversed by a future administration and do not prevent a private company from making a criminal referral.

Harvard's Berkman Klein Center has called for permanent legislative safe harbors under both the CFAA and DMCA Section 1201, arguing that the current framework of temporary exemptions and prosecutorial discretion leaves researchers exposed [20]. The New America Foundation's Open Technology Institute has made similar recommendations, stating that "cybersecurity research should not be a crime" [22].

In Europe, the EU Cyber Resilience Act, whose reporting obligations take effect in September 2026, mandates that manufacturers implement coordinated vulnerability disclosure policies and maintain clear contact points for external researchers [23][24]. However, the CRA does not include explicit safe harbor language for researchers. Academic advocates have called for the EU to define "good-faith security research" as a legally recognized safe harbor in European law, pointing to cases in the Netherlands, Malta, and Germany where researchers faced legal consequences for reporting vulnerabilities [24].

International standards exist — ISO/IEC 29147 defines vulnerability disclosure processes, and ISO/IEC 30111 addresses vulnerability handling — but these are voluntary frameworks, not legal protections [25].

The Steelman Case for Microsoft

Microsoft's position has a factual basis that some commentators have acknowledged, even while criticizing its execution.

Eclipse published working proof-of-concept exploit code for unpatched vulnerabilities. Three of those exploits were weaponized and used in real attacks within days [5][6]. The BlueHammer exploit was being actively used in customer intrusions by April 10 — one week after publication — while the patch did not arrive until April 21 [6]. RedSun and UnDefend went 35 and 39 days respectively between public exploit release and patch availability [5].

Microsoft's MSRC blog post argued that "uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences" [1]. This is consistent with the position of organizations like CERT/CC, which generally advocates for coordinated disclosure with reasonable timelines rather than immediate public release of exploit code.

There is also a documented history of researchers who have published under the banner of "responsible disclosure" in ways that facilitated exploitation. Full-disclosure advocates have long argued that vendor pressure is the only way to force timely patches, but the trade-off is that attackers — not just defenders — gain access to exploit code during the window before a fix ships [21].

The question is whether Microsoft's response — threatening criminal prosecution and disabling accounts — was proportionate or productive. Even commentators sympathetic to Microsoft's concerns about public exploit drops have noted that the Digital Crimes Unit language went beyond what was necessary [2][11].

The Chilling Effect: Measurable or Theoretical?

Whether Microsoft's actions have produced a measurable chilling effect on vulnerability research is difficult to quantify this soon after the events.

What is clear is that the cybersecurity community's public reaction has been overwhelmingly negative. Moussouris warned that the "chilling effect" is "already visible, with countless researchers sharing their own negative experiences reporting bugs to Microsoft" in response to the MSRC blog post [11]. Beaumont noted that the blog post language effectively equated proof-of-concept creation with criminal activity — a standard that, if enforced, would criminalize a significant portion of everyday security research [10].

Academic research on vulnerability disclosure has grown substantially over the past decade, with 36,747 papers published on the topic in 2025 alone, according to OpenAlex data [26]. Whether the Microsoft controversy will affect submission rates for Microsoft-specific vulnerability research remains to be seen.

Source: OpenAlex

Data as of Jan 1, 2026CSV

Microsoft's own track record on vulnerability response has been scrutinized in other contexts. The Storm-0558 incident in 2023, in which Chinese threat actors exploited a compromised consumer signing key to access U.S. government email accounts — including Commerce Secretary Gina Raimondo's — went undetected for over a month [27]. The U.S. Cyber Safety Review Board attributed the breach to "a series of avoidable errors on Microsoft's part" and criticized a "corporate culture that undervalued enterprise security investments" [27][28]. That incident, though unrelated to the current dispute, forms part of the backdrop against which researchers evaluate Microsoft's credibility when it claims to prioritize security.

What Would Need to Change

The current legal framework in the United States offers no statutory safe harbor for security researchers acting in good faith. The DOJ's 2022 charging guidance and the DMCA triennial exemptions provide partial protection, but neither prevents a company from filing a criminal referral or pursuing civil litigation [20][21][22].

Several concrete changes have been proposed:

• Permanent CFAA safe harbor: The Berkman Klein Center and New America Foundation have called for legislation that explicitly exempts good-faith security research from CFAA liability, rather than relying on prosecutorial discretion [20][22].
• DMCA permanent exemption: The current triennial rulemaking process requires researchers to re-petition for exemptions every three years. A permanent exemption for security research would remove this recurring burden [20][21].
• EU safe harbor language: As the CRA's reporting obligations take effect in September 2026, advocates are pushing for explicit legal protection for researchers conducting good-faith vulnerability research under EU law [24].
• Vendor accountability: The CSRB's Storm-0558 report recommended that Microsoft implement specific security improvements. Broader proposals would require vendors to meet minimum response-time standards for vulnerability reports and prohibit retaliation against good-faith reporters [27][28].

The Broader Stakes

This dispute is not simply about one researcher and one company. It touches a structural tension in cybersecurity: the people who find vulnerabilities often lack the legal protections, financial incentives, and institutional power of the companies whose products they are testing.

Microsoft's bug bounty program has paid out $75.5 million since 2018 — a record by any measure [13]. But that figure represents a fraction of a percent of Microsoft's annual revenue, which exceeded $245 billion in fiscal year 2025 [29]. The incentive structure relies on researchers trusting that the process will be fair and that their work will be acknowledged, compensated, and — critically — not used against them.

Eclipse's decision to drop unpatched exploit code caused measurable harm: three exploits were weaponized, customers were compromised, and Microsoft's security teams worked "around the clock" to develop patches [1][5]. That harm is real.

But Microsoft's response — threatening criminal prosecution, deleting the researcher's accounts across Microsoft-owned platforms, and framing proof-of-concept distribution as inherently criminal — has damaged something harder to measure: the willingness of the next researcher to pick up the phone.