firethering.com via Reddit

Microsoft Threatens Researcher Over Windows Zero-Days

microsoft cybersecurity cybersecurity vulnerability-disclosure zero-day

Key insights

  • CISA confirmed multiple disclosed flaws are actively exploited, meaning live systems remain exposed during Microsoft's legal escalation.
  • Nightmare Eclipse claims Microsoft revoked their MSRC portal access before the public disclosures, undercutting Microsoft's coordinated-disclosure argument.
  • The four vulnerabilities target Windows Defender and BitLocker, two controls that enterprise organizations treat as foundational security layers.

Why this matters

Enterprise security teams running Defender and BitLocker face active exploits with no coordinated patch timeline because the disclosure process collapsed before remediation could begin. Security researchers are effectively on notice that Microsoft may treat full public disclosure as criminal conduct, raising the cost of independent Windows vulnerability research at exactly the moment it matters most. If legal pressure becomes a standard vendor response to inconvenient disclosures, the independent researcher pipeline that surfaces critical flaws before state-sponsored actors find them will contract.

Summary

Microsoft has threatened anonymous researcher Nightmare Eclipse with a criminal investigation after the researcher publicly disclosed four unpatched Windows vulnerabilities affecting Defender and BitLocker, with no prior vendor notification. The four flaws (BlueHammer, RedSun, UnDefend, YellowKey) are already being exploited in live attacks per CISA, which makes Microsoft's decision to escalate legally rather than remediate quickly look like a priorities problem. Nightmare Eclipse says Microsoft revoked their MSRC researcher portal account and blocked good-faith outreach before the public disclosures even happened. Essentially: (Microsoft, Nightmare Eclipse) are disputing who broke the disclosure relationship first. - Nightmare Eclipse claims MSRC portal access was revoked before the public drops, removing the standard coordinated-disclosure channel. - Microsoft argues the researcher bypassed proper notification, potentially triggering computer fraud statutes. - CISA has confirmed active exploitation of at least some flaws, meaning real systems are exposed while the legal fight plays out. This case is becoming a test of whether vendors can use criminal referrals to manage the disclosure process when their own researcher engagement programs have already failed.

Potential risks and opportunities

Risks

  • Enterprise organizations running Windows Defender and BitLocker face unpatched active exploits with no confirmed remediation timeline from Microsoft while the legal dispute continues
  • Other researchers with pending Microsoft vulnerability disclosures may withhold findings or delay publication, creating a growing backlog of undisclosed Windows flaws visible only to threat actors
  • Microsoft faces congressional or regulatory scrutiny over using criminal referrals to suppress vulnerability research, particularly if a major breach occurs while the CISA-confirmed exploits remain unpatched

Opportunities

  • Third-party endpoint security vendors (CrowdStrike, SentinelOne, Trend Micro) can publish specific detections for all four named vulnerabilities to capture enterprise customers re-evaluating Defender reliance
  • Bug bounty platforms (HackerOne, Bugcrowd) have an opening to publish explicit researcher legal safe harbors and formalize protections, differentiating directly from Microsoft's posture
  • Enterprise security consultancies can offer immediate Defender and BitLocker hardening audits to organizations concerned about the four disclosed vulnerabilities while patches remain absent

What we don't know yet

  • Whether Microsoft has issued patches for BlueHammer, RedSun, UnDefend, or YellowKey since the disclosures, and if so, by what date
  • Whether Nightmare Eclipse's MSRC account was revoked before or after they began developing the specific exploits, which changes the good-faith analysis entirely
  • The specific criminal statute cited in Microsoft's investigation threat, which determines whether this is a credible legal risk or a sustained pressure tactic

Originally reported by firethering.com

Read the original article →

Original headline: Microsoft Threatens Security Researcher Nightmare Eclipse With Criminal Investigation After Windows Zero-Day Disclosures — Security Community Pushes Back