"The fight is being argued as coordinated disclosure, but the grievance underneath is personal and specific in a way disclosure shouldn’t be, especially with a vendor that has been at it for so long,” Katie Moussouris told CyberScoop.
Microsoft’s public response and the threat of legal action
Microsoft pushed back hard after a security researcher known as “Nightmare Eclipse” published a series of zero-day vulnerabilities and proof-of-concept exploits. The company said it “received no details about the vulnerabilities prior to release,” argued the disclosures were not responsibly handled, and accused the researcher of putting customers at unnecessary risk. In a statement on X, Microsoft said: “When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”
Microsoft framed coordinated vulnerability disclosure as the proper foundation for protecting customers and improving products, adding that it will “continue to take your feedback seriously” and “remain committed to engaging in good faith.” The company also declined to name the researcher by moniker and declined to answer questions in the wake of the fallout.
Nightmare Eclipse: six named flaws and an escalating exchange
The researcher published six defects by name — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — and released proof-of-concept exploit code. Attackers exploited three of the six vulnerabilities before Microsoft issued patches, according to the reporting. Nightmare Eclipse claimed Microsoft refused to communicate, didn’t pay or credit them for discovering and reporting some flaws, deleted the Microsoft Security Response Center account they used to disclose vulnerabilities, and flagged their GitHub account for removal.
In posts leading up to Microsoft’s missive, the researcher warned of an escalating conflict. “You are proving to everyone that you are actively escalating this conflict,” they wrote, and threatened a mid‑July release that “will make sure your bones are shattered that day.”
Katie Moussouris and Andrew Morris on disclosure dynamics
Longtime vulnerability disclosure advocates weighed in with sharply different emphases. Katie Moussouris, founder and CEO at Luta Security, criticized Microsoft’s public tone and suggested the company “seemed to get emotional and shouldn’t have publicly said anything,” arguing that calling out a researcher while invoking law enforcement returns the ecosystem to “the first stages of vulnerability disclosure grief: denial and anger.”
Moussouris also framed coordinated disclosure as a vendor responsibility and a researcher gift: “Coordinated disclosure is what happens when a vendor gets lucky. Someone they did not hire hands them a real bug instead of using it or selling it,” and she warned that vendors must “own the risk” and learn from missteps.
Andrew Morris, founder and chief architect of GreyNoise, stressed the reciprocal nature of the relationship. “Personally, I feel like this researcher is being extremely petty. It seems like they have an ax to grind,” he said, while also noting that vendors must cultivate trust: “If you actually care about being the first one to know about bugs in your software... then you want to cultivate that trust with the security community.” Morris further questioned whether the CVE-based, coordinated-disclosure model is keeping up with scale: “There’s just so many CVEs. It’s like, is this even working anymore?”
Ammar Askar’s example and the limits of recourse
The Nightmare Eclipse dispute is not isolated. Security researcher Ammar Askar said a poor interaction with Microsoft’s security team led him to decide he would publicly disclose any bugs he finds in VS Code going forward. He followed through by dropping a vulnerability and exploit code for a defect that allows attackers to steal GitHub tokens.
On legal lines, Moussouris drew a clear boundary: “The one red line is crime: using a flaw to extort or attack people.” She added that “threatening to publish on a set date is a threat to disclose, and disclosure is lawful,” and maintained that, despite tone and threats, “[Nightmare Eclipse] still broke no rule and violated no duty.”
What this means for technologists, product vendors, and end users
- Technologists and security teams will watch exploit activity closely — three of the six named flaws were exploited before patches — and worry that rising volumes of vulnerabilities and AI-driven discovery will overwhelm current disclosure practices.
- Product vendors and procurement leaders face pressure to repair and maintain trust with the researcher community; Moussouris warned that vendors who “squander the vendor’s luck” risk moving to harsher timelines or losing advance notification entirely.
- End users and customers bear the near-term risk: the record in this episode shows attackers can exploit publicized flaws before patches are applied, and public standoffs between vendors and researchers may increase that window of exposure.
The episode exposes a persistent tension: coordinated vulnerability disclosure is widely embraced as the pragmatic approach, yet when relationships break down it can produce public showdowns, legal threats, and exploit-driven harm. With Nightmare Eclipse’s mid‑July timetable looming and Microsoft signaling readiness to involve law enforcement, the central question is concrete and immediate — can vendor outreach and researcher trust be repaired fast enough to prevent similar escalations, or will the community learn to treat coordinated disclosure as a fragile and potentially fleeting accommodation?
