Microsoft has told a security researcher who published six unpatched Windows flaws online that its Digital Crimes Unit (DCU, the company’s in-house investigative team) will keep “bringing cases against these actors and those that enable their criminal activity.” The warning, aimed at a hacker using the handle Nightmare Eclipse, has set off a revolt among the very people Redmond leans on to find those flaws before criminals do.
Here is the awkward part. The company issuing that threat also owns GitHub, which hosts more working exploit code than anywhere else on the internet, and it has a documented habit of hiring researchers who once dumped or sold zero-days. Kevin Beaumont, a former Microsoft senior security analyst, calls the whole stance “a dumpster fire of their own making.”
Six Zero-Days, One Grudge, and a July Deadline
Over roughly six weeks beginning in April 2026, the researcher posted proof-of-concept code for six separate vulnerabilities in Windows and its built-in defenses, then promised more. A zero-day (a flaw with no available patch when it goes public) is dangerous precisely because defenders have no fix ready. These were not theoretical. By April 10, threat-intelligence firm Huntress had confirmed attackers were already using some of them, and on April 22 the US Cybersecurity and Infrastructure Security Agency (CISA) added them to its federal catalog of exploited vulnerabilities.
The codenames read like a comic-book roster. Three of them hand an ordinary user full SYSTEM-level control of a machine. One blinds Microsoft Defender. One reaches into BitLocker, the disk-encryption tool. Only one of the six carries a formal CVE (Common Vulnerabilities and Exposures) tracking number and a fix. Here is where each stood after the code went public, per a May 19 technical breakdown by Barracuda’s threat researchers:
| Codename | What it does | Status |
|---|---|---|
| BlueHammer | Unprivileged user to SYSTEM via Defender | Patched (CVE-2026-33825) |
| RedSun | Same SYSTEM-level outcome, different code path | No CVE assigned |
| UnDefend | Makes Defender look healthy while blinding it | Unpatched |
| YellowKey | BitLocker bypass on TPM-only (Trusted Platform Module) setups | Unpatched |
| GreenPlasma | Partial Windows privilege escalation | Unpatched |
| MiniPlasma | Local privilege escalation on patched Windows 11 | Unpatched |
**Three of the six were being exploited in the wild** within days of the code appearing, according to that catalog. The company said on May 15 that it was aware of and investigating the reports, the same machinery that drives its record SharePoint patch wave this spring.
And the researcher has not stopped. There is a promise of remote code execution (RCE, flaws that let an attacker run programs on a machine from afar) bugs still to come, plus a claimed “dead man’s switch” that would release more exploits on its own. The next drop is threatened for mid-July, which turns a contained mess into a countdown.
Why Microsoft Reached for Its Digital Crimes Unit
Microsoft’s public response did not soften anything. It said the six bugs “were not responsibly disclosed,” that the company remained “firmly opposed to these actions,” and that uncoordinated dumps of proof-of-concept code “are never justifiable and have real-world consequences.”
There is a real argument buried in that. When working exploit code for an unpatched flaw goes public, criminals get a running start while defenders scramble. Microsoft runs cloud and software for hospitals, banks and the US military; it lost control of part of its Microsoft 365 layer to Russian-backed intruders last year, and it carries the weight of contracts like the Pentagon’s recent $9.7 billion federal software deal routed through Dell. Customer harm from a live zero-day is not hypothetical, and chief executive Satya Nadella has already absorbed a run of embarrassing Azure and cloud breaches.
What rattled researchers was the escalation. The company invoked its Digital Crimes Unit, the legal team that normally hunts botnet operators and ransomware gangs, and pledged to keep pursuing “those that enable their criminal activity.” To many in the field, that last clause reads as a threat against anyone who simply publishes a flaw, not just the people who weaponize one.
The Company Hosting the World’s Largest Pile of Zero-Days
Beaumont’s objection is not that uncoordinated disclosure is harmless. It is that Microsoft, of all companies, is poorly placed to call it criminal.
GitHub, which Microsoft bought in 2018, is **the single largest host of proof-of-concept exploit code on the internet**, including working attacks for flaws that have no patch. The company profits from that openness every day it keeps the platform running.
He also points to the hiring record. Microsoft brought on a researcher known as SandboxEscaper, who had published Windows zero-day proofs of concept in the open, the exact behavior the new blog post now frames as off-limits. Beaumont went further, writing that the company “knowingly employed somebody who would repeatedly talk about selling exploits to Russia and Iran, publicly, while working there.”
His verdict on the legal threat was blunt.
If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court.
Beaumont, who spent years inside the company before becoming one of its sharpest outside critics, posted that on his analysis blog, DoublePulsar’s teardown of the zero-day stance. He warned of “a whole clown car of prior decision making” that would surface if any case reached discovery, and asked which lawyers in CELA (Corporate, External, and Legal Affairs, Microsoft’s legal arm) signed off on the wording.
How Microsoft Cut Off Its Own Reporting Channel
The researcher’s complaint is personal. “I was told personally by them that they will ruin my life and they did,” the hacker wrote, claiming the dispute started as an ordinary bug report and curdled into something uglier. Whatever the truth of that account, the response left no clean way to report anything again. According to Beaumont’s reconstruction, the cutoffs stacked up fast:
- Banned from GitHub, the Microsoft-owned platform where the proofs of concept were posted
- Removed from GitLab, a Microsoft partner service
- Doxxed on Twitter, with personal details exposed
- Locked out of the MSRC (Microsoft Security Response Center) portal, the official channel for reporting bugs
That last item is the trap. As Beaumont put it, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.” A reporting system that boots the reporter pushes the next disclosure straight onto the public timeline the company says it wants to avoid.
The Bounty Money That Buys Goodwill
Microsoft spends heavily to keep researchers inside the tent, which is what makes this fight look self-defeating. The cash is not a rounding error.
- **$17 million** paid to 344 researchers across 59 countries in the program’s latest year, a record for the company’s bounty
- **$2.3 million** awarded at the 2026 Zero Day Quest event from roughly 700 submissions
- **80+** high-impact cloud and AI vulnerabilities fixed through that single contest
Those figures, drawn from the annual bounty program review and the 2026 Zero Day Quest results, buy something money cannot easily replace: a steady stream of people willing to report flaws quietly instead of selling them or dropping them in public.
The company is leaning harder into that loyalty, too. It said it would start ranking its most valuable researchers by payout this July, tying recognition to severity and retention. Goodwill is the product the bounty machine actually sells.
The risk now is reputational contagion. Researchers talk, and a public account of someone being doxxed and locked out after a dispute can chill the exact quiet reporting the program depends on. As Beaumont argued, Microsoft “should be concentrating on making better, more secure products that one person can’t run rings around.”
A Disclosure Fight With No Federal Rulebook
Underneath the personal drama sits a real legal vacuum. The United States has no federal law that defines “responsible disclosure” or makes ignoring it a crime, and proposals to write one have been kicked around Washington for years without passing.
A researcher who simply publishes a flaw is generally protected by First Amendment speech rights. The exposure lies elsewhere. The Computer Fraud and Abuse Act (CFAA, the 1986 anti-hacking statute) can bite depending on how the flaws were obtained, not on whether they were published afterward. That distinction is exactly where the “criminal activity” framing gets shaky, and why critics suspect a courtroom test would expose more about the accuser than the accused.
The next pressure point is already on the calendar. Nightmare Eclipse has threatened a fresh exploit drop around **July 14**, with a dead man’s switch said to fire on its own. If the company patches the remaining flaws and lets the legal threat quietly lapse, this stays a bruising week for its public relations. If it actually files through the Digital Crimes Unit, it invites the discovery process Beaumont is daring it to risk, and its own hiring files become exhibits.
