Microsoft threatened a security researcher with criminal charges, and the cybersecurity community isn’t having it

Staff Editor 2026-05-30
Microsoft threatened a security researcher with criminal charges, and the cybersecurity community isn’t having it

Microsoft threatened a security researcher with criminal charges, and the cybersecurity community isn’t having it

https://www.tweaktown.com/news/111895/microsoft-threatened-a-security-researcher-with-criminal-charges-and-the-cybersecurity-community-isnt-having-it/index.html

Publish Date: 2026-05-30 21:03:00

Source Domain: www.tweaktown.com

A public dispute between Microsoft and security researcher Nightmare Eclipse has escalated into a full-scale backlash from the cybersecurity community, after Microsoft threatened criminal prosecution over a series of uncoordinated zero-day disclosures.

Between early April and mid-May 2026, Nightmare Eclipse published proof-of-concept exploit code for six Windows vulnerabilities without coordinating with Microsoft. Three of those, BlueHammer, RedSun, and UnDefend, were confirmed as being used in live attacks shortly after going public, prompting emergency patches and CISA adding them to its Known Exploited Vulnerabilities catalog. Three others, YellowKey, GreenPlasma, and MiniPlasma, remain unpatched.

Following these discoveries, Microsoft published a formal blog post describing uncoordinated disclosures as “never justifiable” and warning its Digital Crimes Unit could pursue criminal charges against those responsible. The company also had Nightmare Eclipse’s GitHub account suspended around May 23, followed by their GitLab account between May 26 and 27.

VIEW GALLERY – 2 IMAGES

Nightmare Eclipse disputes the framing entirely. The researcher claims Microsoft deleted the Security Response Center account used to file the original bug reports and refused further contact. “You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so,” the researcher wrote publicly.

The security industry is largely not siding with Microsoft, either. Security researcher Katie Moussouris publicly criticized the blog post, saying the prosecution threat would push researchers away from trusting Microsoft and ultimately make things less safe for everyone. Kevin Beaumont, a former Microsoft security engineer, called the situation “a dumpster fire of their own making,” noting that Microsoft previously hired researchers who had published zero-days without warning, the same behavior it now describes as criminal.

Microsoft’s position is…

Source

More Stories

Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy