Microsoft has clarified its stance, reducing perceived legal threats and reaffirming its commitment to coordinated vulnerability disclosure, following significant backlash from the security research community.
In a carefully worded statement released in late May 2026, Microsoft’s Security Response Center (MSRC) moved to defuse a growing crisis over its handling of the security research community, clarifying that it has “no intention to pursue action against individuals conducting or publishing their security research.”
The declaration came days after Microsoft’s May 28 MSRC blog post, which condemned a rogue researcher known as Nightmare Eclipse for disclosing six unpatched Windows zero-days without coordination, and was widely interpreted as a sweeping legal threat against all researchers who bypass official channels.
Microsoft Protects Good-Faith Researchers
The dispute centers on Nightmare Eclipse, also known as Chaotic Eclipse, who publicly released working proof-of-concept exploit code for six Windows vulnerabilities between April and mid-May 2026.
The flaws, named BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma, targeted core Windows components including Microsoft Defender and BitLocker encryption.
Three of those exploits BlueHammer, RedSun, and UnDefend were subsequently weaponized in real-world attacks, and CISA added them to its Known Exploited Vulnerabilities (KEV) catalog.
The researcher, who claims Microsoft ignored prior vulnerability submissions through official channels and “stabbed them in the back,” promised a “bone-shattering” follow-up drop on July 14 targeting July’s Patch Tuesday.
Microsoft’s Digital Crimes Unit has disabled Nightmare Eclipse’s accounts on GitHub, GitLab, and the MSRC researcher portal following the public release of multiple Windows zero-days.
Microsoft’s initial blog post warned it would “bring cases against actors and those who enable their criminal activity,” while MSRC also addressed the situation in a post on X.
Security experts immediately warned that this language could have a chilling effect on the broader research community, deterring future responsible disclosures.
In its follow-up clarification, Microsoft drew a sharp distinction between good-faith research and malicious activity.
The company stated that legal escalation would occur only “when an individual breaks the law and engages in malicious activity causing real harm to our customers,” explicitly separating criminal exploitation from legitimate vulnerability research and publication.
The statement acknowledged that some past interactions between MSRC and researchers “have fallen short” and pledged renewed commitment to “transparency, clear communication, and professionalism” in every disclosure interaction.
Microsoft also acknowledged the scale and growing complexity of its disclosure workload, noting that it processes a “high volume” of vulnerability reports annually, a figure that continues to climb as AI-assisted security research grows.
The company’s bug bounty programs have paid out over $60 million to researchers since 2013 across 18 programs spanning Azure, Windows, Microsoft Defender, and AI systems.
CVD Under the Microscope
The episode has intensified industry scrutiny of Coordinated Vulnerability Disclosure (CVD), the standard practice in which researchers privately report flaws to vendors, typically within a 90-day embargo window, before going public.
Critics argue that Microsoft’s initial response threatened to weaponize legal frameworks against researchers whose reports were previously ignored, undermining trust in the CVD ecosystem.
Google Project Zero maintains a firm 90-day deadline regardless of patch status, while ZDI operates on a 120-day timeline.
Microsoft reaffirmed that CVD “remains the foundation for protecting customers and improving our products,” pledging to welcome vulnerability submissions from all researchers through its public portal, regardless of past interactions, a direct signal that Nightmare Eclipse-style disputes should not deter others from responsible reporting.