The cybersecurity neighborhood is blasting Microsoft for threatening authorized motion in opposition to a disgruntled researcher who’s been exposing Home windows vulnerabilities outdoors the corporate’s regular disclosure course of.
The controversy offers with a researcher generally known as “Nightmare Eclipse,” who has revealed six unpatched “zero-day” flaws in latest weeks. This features a proof-of-concept exploit for a Home windows vulnerability generally known as BlueHammer that may enable an attacker to escalate their privileges to the administrator degree.
Researchers usually submit such findings to the Microsoft Safety Response Heart (MSRC) for patching to forestall hackers from exploiting them. However Nightmare Eclipse has intentionally ignored the accountable disclosure route, citing claims that Microsoft mistreated them.
“They mopped the ground with me and pulled each infantile sport they might,” the researcher wrote final month, with out elaborating. “It was soo unhealthy sooner or later I used to be questioning if I used to be coping with an enormous company or somebody who’s simply having enjoyable seeing me undergo however it appears to be a collective choice.”
The stress solely escalated after Nightmare Eclipse disclosed extra flaws this month, writing: “Microsoft has chosen to make this worst as an alternative of resolving the scenario like adults, they pulled each infantile sport potential.”
On Wednesday, the software program big responded with its personal weblog put up that reiterated the necessity for accountable disclosure to forestall hackers from abusing such flaws and contained a authorized risk.
“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the palms of unhealthy actors are by no means justifiable and have real-world penalties,” the corporate wrote, later including: “Our Digital Crimes Unit will proceed bringing circumstances in opposition to these actors and people who allow their legal exercise – coordinating as wanted with regulation enforcement world wide.”
Microsoft goes on to say “any disclosure outdoors correct coordination” might hurt its clients. However that final half about pursuing potential prices in opposition to Nightmare Eclipse has sparked an uproar within the cybersecurity neighborhood since one might argue the researcher is doing Microsoft a service by exposing vital bugs.
This Tweet is at the moment unavailable. It may be loading or has been eliminated.
“Microsoft will do something to cease folks posting zero-days besides repair MSRC,” tweeted Zack Korman, CTO of cybersecurity supplier Pistachio. Different researchers are sharing their tales of reporting a flaw to Microsoft, however the firm refusing to pay a reward or formally fixing the issue and quietly issuing a patch later.
“MSRC strung me alongside for a couple of further months to maintain me quiet, then broke their phrase….The interplay left such a foul style in my mouth that I don’t actually really feel like interacting with them once more,” wrote Gabriel Landau, a cybersecurity researcher and developer of anti-malware packages for Home windows.
Nvidia help engineer Eric Warnke additionally wrote of Microsoft: “You can not compel unbiased safety researchers. You’ll be able to solely make it kind of engaging to work with you. Microsoft made it much less engaging, and now they’re writing weblog posts about shared accountability. That is a CYA, not a bug program designed to encourage reporting.”
This Tweet is at the moment unavailable. It may be loading or has been eliminated.
Kevin Beaumont, a safety researcher who beforehand labored at Microsoft, can also be uncertain that Remond might efficiently sue anybody for violating an organization’s accountable disclosure coverage, which is commonly set by the corporate itself.
“If Microsoft’s tactic is to attempt to criminalize not following typically arbitrary ‘accountable disclosure’ frameworks, good luck defending that in courtroom — as a result of there’s an entire clown automobile of prior choice making inside Microsoft and details which might emerge in that course of,” he wrote noting that the Microsoft-owned Github typically hosts software program exploits and hacking methods, however does not essentially take away them.
“Microsoft must be concentrating on making higher, safer merchandise that one particular person can’t run rings round,” he added.
Within the meantime, each the GitHub and GitLab pages for Nightmare Eclipse have been taken down, together with their MSRC account, stopping them from correctly disclosing future bugs to Microsoft. Nonetheless, the researcher has threatened to publish a new vulnerability on July 14, warning: “I’ll be sure that your bones are shattered that day.”
About Our Skilled
Michael Kan
Principal Reporter
Expertise
I have been a journalist for over 15 years. I acquired my begin as a colleges and cities reporter in Kansas Metropolis and joined PCMag in 2017, the place I cowl satellite tv for pc web companies, cybersecurity, PC {hardware}, and extra. I am at the moment based mostly in San Francisco, however beforehand spent over 5 years in China, protecting the nation’s expertise sector.
Since 2020, I’ve coated the launch and explosive progress of SpaceX’s Starlink satellite tv for pc web service, writing 600+ tales on availability and have launches, but in addition the regulatory battles over the enlargement of satellite tv for pc constellations, fights with rival suppliers like AST SpaceMobile and Amazon, and the trouble to increase into satellite-based cell service. I’ve combed via FCC filings for the most recent information and pushed to distant corners of California to check Starlink’s mobile service.
I additionally cowl cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC pressured Avast to pay customers $16.5 million for secretly harvesting and promoting their private info to third-party purchasers, as revealed in my joint investigation with Motherboard.
I additionally cowl the PC graphics card market. Pandemic-era shortages led me to camp out in entrance of a Finest Purchase to get an RTX 3000. I am now following how the AI-driven reminiscence scarcity is impacting your entire shopper electronics market. I am all the time desperate to study extra, so please soar within the feedback with suggestions and ship me suggestions.
