Microsoft faces backlash after a blog post implied criminal referral and legal action against security researcher Nightmare Eclipse over public bug disclosures
After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them …
TechCrunch Lorenzo Franceschi-Bicchierai
Related Coverage
- A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure Microsoft
- Microsoft's stance on zero day exploits is a dumpster fire of their own making DoublePulsar · Kevin Beaumont
- Disgruntled 0-day hunter ‘humiliated’ by Microsoft pledges ‘bone shattering drop’ as Redmond calls cops The Register · Jessica Lyons
- Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more The Record · Alexander Martin
- Microsoft and security researcher's dueling posts about cybersecurity disclosures get nasty CSO · Evan Schuman
- Microsoft hits out over irresponsible vulnerability disclosure ComputerWeekly.com · Alex Scroxton
- Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar PCMag · Michael Kan
- Microsoft Calls the Zero-Day Dumps Irresponsible. The Researcher Says Microsoft Started It. Security Affairs · Pierluigi Paganini
- Microsoft has broken the good-faith disclosure social contract. — https://techcrunch.com/... @munin@infosec.exchange
- NEW: Microsoft is so mad that a researcher published a handful of zero-days, and code to exploit them, that it is threatening legal action and even calling the cops on them. — Yes, it's 2026, and one of the richest companies in the world is beefing about the ethics of disclosing bugs. … @lorenzofb@infosec … · Lorenzo Franceschi-Bicchierai
- Daily Tech News 30 May 2026 Ace of Spades HQ · Pixy Misa
- Microsoft threatened a security researcher with criminal prosecution. The cybersecurity community is furious. The Next Web · Ana Maria Constantin
- Microsoft faces security community backlash over Nightmare Eclipse Notebookcheck · Darryl Linington
- Microsoft is threatening legal action for disclosing exploits The Verge · Terrence O'Brien
- “They will ruin my life”: Microsoft threatens to wield ‘Digital Crimes Unit’ over zero-day exploit disclosures — causing uproar in the cybersec community Windows Central · Jez Corden
Discussion
-
@vxunderground
@vxunderground
on x
Chat, I don't want to be that guy, but I think Microsoft has really pissed off security researchers and we're approaching the tipping point. This Eclipse guy has really rocked the boat for Microsoft. [image]
-
@zackkorman
Zack Korman
on x
Microsoft will do anything to stop people posting zero days except fix MSRC. [image]
-
@rootsecdev
@rootsecdev
on x
Last time I dealt with MSRC. Responsibly disclosed an issue with legacy auth that allowed me to spray passwords at <redacted endpoint> and avoid smart lockout. Receives email.. 5 months after initial case opening. “Doesn't meet the bar for servicing” Microsoft silently
-
@gabriellandau
Gabriel Landau
on x
...After the agreed-upon Patch Tuesday a few months later, I couldn't find any mention in the CVE list, so I reached out to MSRC to inquire. It turns out - they changed their minds, deciding it did not meet their bar for servicing, yet they patched it anyway. Since it didn't me…
-
@k8em0
@k8em0
on x
Not that ‘responsible’ disclosure shit again 🙄 No vendor uses that term unless they want to call someone irresponsible. Even if someone drops 0day, patch & move on. Going after a researcher is a great way to turn 1 bad relationship into many terrible relationships.
-
@chompie1337
@chompie1337
on x
Security research reporting is kinda the only situation where an individual has any power over a corporation. What goes unsaid: the researcher could easily sell exploits on the grey market and get rich. Most report out of morals, lowk a refusal to contribute to cyberwarfare.
-
@arekfurt
@arekfurt
on x
Working at MSRC handling vuln reports has to be one of the most utterly thankless jobs in tech. You have to find incredibly important reports in a crush of crap while retroactively justifying the decisions of product teams on what to fix when using flawed servicing guidelines.
-
@kimmydotzip
@kimmydotzip
on x
[image]
-
@wdormann
@wdormann
on x
Since we're all sharing MSRC stories: Once at the CERT/CC I got the CVE ID for a public case and published the ID before Microsoft had an update released for it. MSRC was very mad at me because in their minds CVE IDs are used to identify Patch Tuesday updates, and are secret.
-
@hackinglz
Justin Elze
on x
Few things unite the security community more than collectively dragging MSRC.
-
@zodttd
@zodttd
on x
...This is because the unappreciated researcher released more zero-day vulnerabilities on his own and had those GitHub/Lab accounts banned. They were serious enough that Microsoft is scrambling to fix them but wasn't serious enough to be paid or recognized, instead was ridiculed…
-
@spidermorpheus
@spidermorpheus
on x
This is important. MSRC is probably the loudest worst case but check any bug hunter and they will have a myriad of cases where vendors act in bad faith. Doing the righteous thing is good but unfortunately it does not pay the bills. We need to understand as a society that if we
-
@nathanmcnulty
Nathan McNulty
on x
Since everyone is sharing MSRC stories 🙃 I had a PrivEsc from User Admin, a role many give helpdesk or HR, to Global Admin MSRC: Not a vulnerability, requires a built-in Microsoft app in the tenant to exploit Also MSRC: It's a vulnerability when someone else submits it🤷♂️
-
@vxunderground
@vxunderground
on x
Microsoft Security Response Center put out a blog post today about Eclipse Nightmare guy Basically they think he's super mean and totally not cool he's dropping zero days. They say you're a jerk if you do this stuff because it's dangerous and stuff https://www.microsoft.com/...
-
Nikhil Mittal
Nikhil Mittal
on linkedin
They have dropped the facade built over the last decade. — https://lnkd.in/...
-
Jessica Lyons
Jessica Lyons
on linkedin
“The bugs are Microsoft's,” Luta Security CEO Katie Moussouris told me. “They wrote the code and they own the risk to customers. …
-
@zackwhittaker@mastodon.social
Zack Whittaker
on mastodon
NEW: Microsoft is facing heavy criticism from the cybersecurity community for threatening to take legal action and call the cops on a security researcher who published unpatched bugs online. — Cybersecurity veterans warned that Microsoft's approach here could result in a chilli…
-
@campuscodi.risky.biz
Catalin Cimpanu
on bluesky
What's happening at MSRC now belatedly confirms the rumors from 1-2 years ago when a bunch of security researchers who left the department said the “bad corporate guys” had effectively taken over and the S in MSRC stopped standing for “security” [embedded post]