Microsoft says it won't sue good-faith security researchers after backlash over zero-day disclosures

Microsoft has tried to draw a narrower line after a week of criticism from security researchers who read one of its recent statements as a threat of legal action over public zero-day disclosures. In a follow-up clarification reported on June 1, the company said it had “no intention to pursue action against individuals conducting or publishing their security research,” even as it kept arguing that releasing exploit details before a patch can put customers at risk. (cybersecuritynews.com) The dispute grew out of Microsoft’s response to a researcher using the names Nightmare Eclipse and Chaotic Eclipse, who published six unpatched Windows vulnerabilities between April and mid-May 2026. Microsoft’s original position, set out in a May 27 post from the Microsoft Security Response Center, said the bugs had not been responsibly disclosed and that proof-of-concept code for unpatched flaws should not be put “into the hands of bad actors.” (microsoft.com) ### Why did researchers think Microsoft was threatening them? Microsoft’s May 27 MSRC blog said its Digital Crimes Unit would “continue bringing cases against these actors and those that enable their criminal activity,” language that many in the security community took as broader than a warning aimed at active attackers. (cybersecuritynews.com) Dark Reading reported that the wording triggered backlash because researchers saw it as potentially sweeping in people who publish vulnerability details outside coordinated channels. Microsoft then moved to clarify that its legal escalation was aimed at people who “break the law and engage in malicious activity causing real harm to our customers,” not at good-faith research itself. (microsoft.com) ### Who is Nightmare-Eclipse, and what was disclosed? Cybersecurity News reported that the researcher published working proof-of-concept code for six Windows vulnerabilities identified as BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma and MiniPlasma. The reported targets included Microsoft Defender and BitLocker-related components. (microsoft.com) The same report said the releases followed a breakdown in the researcher’s relationship with Microsoft’s reporting process. Microsoft has not, in its own May 27 post, named the individual, but it said the vulnerabilities “were not responsibly disclosed” and said disclosures had created “unnecessary risk.” (darkreading.com) ### What is Microsoft still arguing about public zero-day disclosures? Microsoft’s public position has not changed on the core disclosure question. In the May 27 MSRC post, the company said details of the vulnerabilities “were not shared with Microsoft prior to release” and that uncoordinated disclosures can harm customers and the wider ecosystem. (cybersecuritynews.com) CPO Magazine reported that Microsoft’s argument is that detailed public disclosures can serve as a “road map” for threat actors, and that some of the bugs at issue were used in attacks soon after publication. That framing matches the company’s broader insistence that coordinated vulnerability disclosure gives vendors time to assess impact and ship protections before exploit code circulates widely. (microsoft.com) ### Did Microsoft actually back away from its disclosure policy? The June 1 clarification was narrower than a policy reversal. Microsoft said it still supports coordinated vulnerability disclosure and still opposes releasing proof-of-concept code for unpatched flaws, but it also said it would continue to welcome submissions through its public researcher portal “regardless of past interactions or reputation.” (microsoft.com) That leaves the central dispute unresolved. Researchers who believe vendors are too slow or dismissive still have incentives to publish, while Microsoft is still arguing that early public detail can accelerate real-world exploitation. The company’s security blog and MSRC reporting portal remained live on June 2 with that coordinated-disclosure framework unchanged. (cpomagazine.com) ### What comes next in this fight? Cybersecurity News reported that the researcher had signaled a further disclosure for July 14, timed around July’s Patch Tuesday cycle. Microsoft, for its part, said on May 27 that its teams were working to understand impact, protect customers and develop security updates tied to the disclosed flaws. (microsoft.com) The next concrete markers are likely to be security advisories, patch releases and any additional public disclosures from the researcher or Microsoft’s Security Response Center in the weeks leading up to July 14. (cybersecuritynews.com) (microsoft.com)