RSS

Microsoft reaches for olive branch after public dustup with 0-day researcher

Bender1 pts0 comments

Microsoft reaches for olive branch after public dustup with 0-day researcher

Jump to main content

Search

REG AD

Security

Microsoft reaches for olive branch after public dustup with 0-day researcher

Following days of criticism from the security community, Redmond dials back rhetoric, insists vulnerability hunters not in its legal crosshairs

Carly Page

Carly<br>Page

Published<br>tue 2 Jun 2026 // 13:37 UTC

Microsoft has moved to calm an increasingly noisy backlash from the security community after appearing to threaten legal action against a researcher who spent the past several weeks dumping Windows zero-days onto the internet.<br>In a statement published on Monday, Redmond said it has "no intention to pursue action against individuals conducting or publishing security research”, a noticeably softer position than the one it adopted just days earlier when it condemned a string of public vulnerability disclosures and invoked its Digital Crimes Unit.<br>The updated statement follows a public feud with a researcher known as Nightmare-Eclipse, who released multiple Windows zero-days along with proof-of-concept exploit code. Several of those vulnerabilities have since been exploited in the wild, turning what might have remained an obscure disclosure dispute into a much larger argument about how vendors handle security researchers.

REG AD

Last week, Microsoft described the publication of exploit code for unpatched flaws as "never justifiable" and warned it would work with law enforcement when criminal activity harmed customers. The statement triggered immediate criticism from parts of the security community, with researchers warning that the language risked creating a chilling effect around vulnerability research.

REG AD

Former Microsoft employee and security researcher Kevin Beaumont described the company's position as a "dumpster fire of its own making," while Luta Security founder Katie Moussouris, who created Microsoft's bug bounty program, told The Register the response sent mixed messages.

MORE CONTEXT

Classic Outlook's Quick Steps trip over Microsoft bug

Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs

Ex-Microsoft engineer believes Azure problems stem from talent exodus

Windows boss promises to heal the operating system's self-inflicted wounds

She questioned Microsoft's decision to tout researcher compensation and recognition while responding to a researcher who claims he received neither, and argued that references to the Digital Crimes Unit made the post feel "vaguely threatening." She added that, regardless of the specifics of the dispute, Microsoft risked creating a chilling effect on other researchers considering whether to report vulnerabilities.<br>What’s more, if Microsoft's goal was to isolate Nightmare-Eclipse, that may not be going entirely to plan. The researcher claimed over the weekend that other researchers had begun handing over vulnerabilities following Microsoft's response, including an alleged flaw dubbed "Bitskrieg" that breaks Secure Boot trust guarantees and bypasses BitLocker. Nightmare-Ecipse said the bug will be released “sometime in June”.<br>Against that backdrop, Microsoft's Monday message read more like damage control than deterrence.<br>"We have no intention to pursue action against individuals conducting or publishing their security research," Microsoft said, adding that legal referrals would be reserved for people engaging in malicious activity that causes harm to customers. The company also acknowledged that "some interactions have fallen short" and said it was working to learn from feedback.<br>Notably, Microsoft stopped well short of conceding any of Nightmare-Eclipse's specific allegations. The researcher had accused Microsoft of deleting accounts used for vulnerability reporting, refusing to pay bounties, and mishandling communications through the Microsoft Security Response Center. The company has not publicly addressed those claims directly.<br>Nobody should mistake Monday's statement for a sudden conversion to the church of full disclosure. Microsoft remains firmly of the view that researchers should report vulnerabilities privately, give vendors time to fix them, and avoid dropping working exploit code onto the internet for everyone else to play with.<br>The problem for Redmond was that the argument had drifted well beyond the actions of one researcher. What began as a dispute over a string of Windows zero-day releases was rapidly turning into a debate about Microsoft's relationship with the security community and whether the company was comfortable invoking lawyers when that relationship soured.

REG AD

The updated statement looks very much like an attempt to slam the brakes on that narrative. ®

vulnerability disclosure<br>security<br>microsoft<br>windows<br>zero-day

REG AD

SPONSORED LINKS<br>Building the New Trust Architecture for AI - June 4, 10am PT

CxO

Remote work – not AI – is killing job prospects for the youth

Young professionals may be perfectly productive while...

microsoft security researcher public from vulnerability

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.