Microsoft’s stance on zero day exploits is a dumpster fire of their own making | by Kevin Beaumont | May, 2026 | DoublePulsarSitemapOpen in appSign up<br>Sign in

Medium Logo

Get app<br>Write

Search

Sign up<br>Sign in

Mastodon

DoublePulsar

Cybersecurity from the trenches, written by Kevin Beaumont. Opinions are of the author alone, not their employer.

Microsoft’s stance on zero day exploits is a dumpster fire of their own making

Kevin Beaumont

3 min read·<br>4 hours ago

Listen

Share

Recently, somebody going by the name of Nightmare Eclipse has been having an online beef with Microsoft around security vulnerabilities they claim they had been trying to report. Their posts read like those of a former Microsoft employee. They’ve been dumping proof of concept exploits for said vulnerabilities publicly.<br>As a defender myself, it’s not great — but it is what it is; Microsoft should make better products. In an age where every vendor is selling magic beans AI boxes that can “discover every vulnerability”, it is unsurprisingly real humans who are finding impactful vulnerabilities still.<br>The vulnerabilities range from interesting to nothing. For example, one interesting one — still unpatched — is a complete and working BitLocker bypass in default deployments, allowing you bypass encryption on a device.<br>Do I support what Nightmare Eclipse is doing with this one? Not really, it feels weird at times, almost like they think they’re entitled to payment — their blog is also awfully specific about certain Microsoft colleagues. There’s presumably more going on behind the scenes than is known.<br>This Microsoft blog about the situation caught my attention, though:<br>A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure<br>In recent weeks several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities…

www.microsoft.com

In particular, this bit (my highlights):<br>Press enter or click to view image in full size

Hang on.. proof of concept exploit creation and distribution for zero days is “criminal activity” now? Who in CELA signed off that wording? Microsoft are the biggest distributor of zero days, via Github. Not following made up “responsible disclosure” processes is not illegal.<br>Nightmare Eclipse was also kicked off GitHub (owned by Microsoft), Gitlab (a Microsoft partner), they were doxxed on Twitter and had their MSRC — Microsoft vulnerability reporting portal — account disabled. It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.<br>GitHub has long been a source for zero days exploits in competitor products — it still is. While I worked there GitHub had a policy saying they wouldn’t remove them. By continually removing just exploits for their own products from Github and declaring “criminal activity”, it’s a rubicon you shouldn’t cross.<br>Microsoft is attempting to misuse its ownership of Github to protect only its own products, and misuse its extensive links to law enforcement by branding publishing information about vulnerabilities in its own products as criminal behaviour, as best I can read that blog.<br>Get Kevin Beaumont’s stories in your inbox

Join Medium for free to get updates from this writer.

Subscribe

Subscribe

Remember me for faster sign in

Maybe there’s more to it that isn’t mentioned in the blog — but in which case, either mention it or shut up and let law enforcement take over.<br>Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low.<br>Some history<br>Before I joined Microsoft, back in 2019, somebody called SandboxEscaper published a few proof of concepts online for Microsoft products, as zero days.<br>Microsoft hired her. SandboxEscaper did good work.

Press enter or click to view image in full size

Now, to be clear, SandboxEscaper claims they aren’t Nightmare Eclipse. I’m not linking the two, either — I’m making the point Microsoft has very publicly hired somebody for doing the same thing Microsoft’s latest blog alleges is criminal behaviour.<br>There’s a lot of history.<br>For example, Microsoft knowingly employed somebody who would repeatedly talk about selling exploits to Russia and Iran, publicly, while working there — for years.<br>They have a long history of hiring people, some with criminal convictions for hacking offenses — and hiring people who’ve posted zero days publicly.<br>Microsoft have also purchased zero day exploits in their own products from exploit brokers.<br>If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.<br>It would also profoundly change the security industry for the worst, pivoting protecting the interests of business over the interest of collective cyber defence. Microsoft should be...