Microsoft Clarifies It Won\u2019t Sue Security Researchers Amid Nightmare-Eclipse Controversy
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has clarified its stance, reducing perceived legal threats and reaffirming its commitment to coordinated\u00a0vulnerability disclosure,\u00a0following significant backlash from the security research community.<\/p>\n
In a carefully worded statement released in late May 2026, Microsoft\u2019s Security Response Center (MSRC) moved to defuse a growing crisis over its handling of the security research community, clarifying that it has \u201cno intention to pursue action against individuals conducting or publishing their security research.\u201d<\/p>\n
The declaration came days after Microsoft\u2019s May 28 MSRC blog post, which condemned a researcher known as Nightmare Eclipse for disclosing six unpatched Windows zero-days<\/a> without coordination, and was widely interpreted as a sweeping legal threat against all researchers who bypass official channels.<\/p>\n The dispute centers on Nightmare Eclipse<\/a>, also known as Chaotic Eclipse, who publicly released working proof-of-concept exploit code for six Windows vulnerabilities between April and mid-May 2026.<\/p>\n The flaws, named BlueHammer (CVE-2026-33825<\/a>), RedSun (CVE-2026-41091<\/a>), UnDefend (CVE-2026-45498<\/a>), YellowKey (CVE-2026-45585<\/a>), GreenPlasma, and MiniPlasma, targeted core Windows components including Microsoft Defender and BitLocker encryption.<\/p>\n Three of those exploits \u00a0BlueHammer, RedSun, and UnDefend were subsequently weaponized in real-world attacks, and CISA added them to its Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n The researcher, who claims Microsoft ignored prior vulnerability submissions through official channels and \u201cstabbed them in the back,\u201d promised a \u201cbone-shattering\u201d follow-up drop on July 14 targeting July\u2019s Patch Tuesday.<\/p>\n Microsoft\u2019s Digital Crimes Unit has disabled Nightmare Eclipse\u2019s accounts on GitHub, GitLab, and the MSRC researcher portal following the public release of multiple Windows zero-days.<\/p>\n Microsoft\u2019s initial blog post warned it would \u201cbring cases against actors and those who enable their criminal activity,\u201d while MSRC also addressed the situation in a post on X.<\/a><\/p>\n Security experts immediately warned that this language could have a chilling effect on the broader research community, deterring future responsible disclosures.<\/p>\n In its follow-up clarification, Microsoft drew a sharp distinction between good-faith research and malicious activity.<\/p>\n The company stated that legal escalation would occur only \u201cwhen an individual breaks the law and engages in malicious activity causing real harm to our customers,\u201d explicitly separating criminal exploitation from legitimate vulnerability research and publication.<\/p>\n The statement acknowledged that some past interactions between MSRC and researchers \u201chave fallen short\u201d and pledged renewed commitment to \u201ctransparency, clear communication, and professionalism\u201d in every disclosure interaction.<\/p>\nMicrosoft Protects Good-Faith Researchers<\/strong><\/h2>\n