What Actually Happened

Over the past several weeks, a security researcher going by Nightmare Eclipse published six unpatched zero-day vulnerabilities in core Microsoft products. The bugs — named BlueHammer, RedSun, UnDefend, and YellowKey — affect Windows Defender, Microsoft's built-in antivirus engine, and BitLocker, its disk-encryption tool.

Nightmare Eclipse didn't just describe the flaws. They published proof-of-concept exploit code, meaning any motivated attacker could pick it up and run with it. Some already have. According to both Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), several of these vulnerabilities have since been used in real-world attacks.

On Thursday, May 28, Microsoft fired back with a blog post. The company criticized the researcher for skipping its Microsoft Security Response Center (MSRC) — the official channel where researchers are supposed to report flaws before they go public. Microsoft called the approach irresponsible and warned that "uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable."

Then came the threat. Microsoft's blog referenced its Digital Crimes Unit, warning it "will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world," as reported by TechCrunch.

Microsoft Skipped Over a Key Detail

Microsoft's blog post omitted one crucial fact: Nightmare Eclipse claims Microsoft already knew.

The researcher says they were in contact with Microsoft. According to Nightmare Eclipse's own blog posts, cited by both TechCrunch and PCMag, Microsoft allegedly responded by revoking their MSRC account — the very portal used to submit vulnerability reports. The researcher's interpretation: Microsoft didn't just ignore the reports, it locked them out of the system designed to receive them.

"They mopped the floor with me and pulled every childish game they could," Nightmare Eclipse wrote, according to PCMag. After Microsoft escalated rather than resolved the situation, the researcher went fully public.

The timeline Microsoft presented — researcher finds bug, skips disclosure, dumps exploits online — is incomplete. The researcher claims there was an attempt at responsible disclosure, and Microsoft allegedly shut that door.

Microsoft has not publicly disputed the MSRC account revocation.

The Cybersecurity Community Is Not Buying Microsoft's Line

Zack Korman, CTO of cybersecurity firm Pistachio, put it bluntly on X: "Microsoft will do anything to stop people posting zero-days except fix MSRC," as reported by PCMag.

Other researchers piled on, sharing their own stories of reporting flaws to Microsoft only to be ignored, lowballed on bug bounties, or stonewalled entirely. This isn't a one-off dispute. It's a pattern.

The security community's position is straightforward: if you want researchers to come to you first, treat them like partners, not nuisances. The moment a company revokes a researcher's access to its vulnerability portal, it has forfeited the moral high ground on "responsible disclosure."

What Mainstream Coverage Is Getting Wrong

Most outlets are framing this as a simple two-sided debate: researcher bad for dumping exploits, Microsoft bad for threatening him. That's lazy.

The core issue is institutional accountability at scale. Microsoft is a company worth over $3 trillion. It employs thousands of security engineers. It charges enterprise customers hundreds of millions annually for products that are supposed to be secure. When a single independent researcher finds six critical zero-days in core Windows security tools — Defender and BitLocker, not obscure enterprise software — that points to a systemic failure inside Microsoft, not a PR problem caused by one rogue researcher.

CISA confirmed real-world exploitation of these vulnerabilities. While Microsoft was busy revoking MSRC access and drafting legal threats, actual attackers were using these bugs against actual targets. The corporate posturing had consequences: organizations got breached.

Both Sides Have a Case — And One Has More of One

To be fair: publishing exploit code before patches exist is genuinely dangerous. Nightmare Eclipse's methods handed criminals a loaded weapon with no safety on. That's not a trivial concern. Real people and organizations got hit.

But Microsoft threatening criminal charges against a researcher who exposed flaws in its own security software is a chilling move. If it succeeds, the message to every independent security researcher is clear: find a bug in Microsoft's products, report it quietly, get ignored — and if you go public, we send the Digital Crimes Unit after you.

That outcome is dangerous for anyone who uses Windows. Which is basically everyone.

The Practical Reality

If you're running Windows — and roughly 1.4 billion people are, according to Microsoft's own figures — you're potentially exposed. BlueHammer alone allows privilege escalation to administrator level, per PCMag. Microsoft has not announced patch timelines for all disclosed vulnerabilities.

The legal threats make for dramatic headlines. The unpatched bugs affecting over a billion machines are the actual emergency. Microsoft needs to fix its products and fix its researcher relations program — in that order.

Suing the person who found the holes does not patch them.