Microsoft is threatening legal action and criminal investigation after security researcher Nightmare Eclipse published a series of unpatched bugs in Microsoft products with working exploit code. The tech giant says the researcher bypassed responsible disclosure protocols.
The bugs—BlueHammer, RedSun, UnDefend, and YellowKey—affect critical Microsoft tools including Windows Defender and BitLocker encryption. Microsoft argues that Nightmare Eclipse should have reported these vulnerabilities through official channels before releasing exploit code on GitHub and GitLab.
In a Wednesday blog post, Microsoft stated that responsible disclosure requires alerting the company first so patches can be issued. The researcher instead published working exploits, potentially providing a template for malicious hackers.
Nightmare Eclipse counters that they were in contact with Microsoft but faced obstacles, including removal from Microsoft's Security Response Center portal. The researcher says they had no choice but to publish, turning these into zero-day exploits.
Microsoft's Digital Crimes Unit responded with a direct warning: "We will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world."
Both Nightmare Eclipse's GitHub and GitLab accounts have been removed. According to CISA and other security agencies, some of these vulnerabilities have already been used by hackers in active attacks.
The dispute raises a long-standing question in the security community: should researchers follow disclosure protocols even when they believe companies are unresponsive, or is public release justified as a last resort?
Both Microsoft and Nightmare Eclipse have declined further comment.
