CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Microsoft Threatens Legal Action Over Zero-Day Leaks

Data Breach Today Archived May 29, 2026 ✓ Full text saved

Security Researchers Fear Broader Legal Pressure on Bug Disclosures Microsoft is pursuing legal action after a researcher publicly released six Windows zero-days and exploit code following a breakdown in coordinated disclosure talks, escalating tensions over vulnerability disclosure, platform moderation and protections for independent security researchers.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT) Microsoft Threatens Legal Action Over Zero-Day Leaks Security Researchers Fear Broader Legal Pressure on Bug Disclosures Tiffany Wang • May 28, 2026     Credit Eligible Get Permission Microsoft is pursuing legal action after a researcher publicly released six Windows zero-days and exploit code in what the the company described as an unauthorized disclosure. (Image: Shutterstock) The recent actions of a security researcher who disclosed six Windows vulnerabilities without informing Microsoft triggered the software giant to threaten to pursue criminal action for unauthorized disclosure. See Also: OnDemand I Remediate the Most Exploitable Vulnerabilities First and Fast Microsoft said Wednesday, "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity - coordinating as needed with law enforcement around the world." The statement was part of an update on a rogue vigilante whose Microsoft, GitHub and GitLab accounts were taken down in sequence for bypassing authority to post zero-days. "The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma and MiniPlasma were not responsibly disclosed," Microsoft said. "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences." The researcher, who goes by Nightmare Eclipse or Chaotic Eclipse, called Microsoft's accusation defamatory. Eclipse claimed to have followed Coordinated Vulnerability Disclosure standards at first, but Microsoft refused to communicate, declined to pay and deleted the Microsoft Security Response Center account used to report the bugs. While Eclipse's vindictive zero-day disclosures flout industry best practices, Microsoft, which owns code-sharing site GitHub and partners with software development platform GitLab, is putting the security community on edge with its threats of legal action. "I'm deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero-days in the products," said security researcher Kevin Beaumont, who worked at Microsoft five years ago, on Mastodon. "GitHub has long been a source for zero-days exploits in competitor products. It still is. While I worked there GitHub had a policy saying they wouldn’t remove them," Beaumont said. "By continually removing just exploits for their own products from GitHub and declaring 'criminal activity,' it's a Rubicon you shouldn't cross." Eclipse dropped six vulnerabilities in six weeks. UnDefend, RedSun and BlueHammer can be exploited together in a coherent attack chain, enabling attackers to bypass Microsoft's tamper-protection safeguards and escalate privileges locally as authorized users. YellowKey grants unrestricted shell access to machines protected by BitLocker, a feature that encrypts disk data on tampered devices. And GreenPlasma and MiniPlasma enable unprivileged users to elevate access and execute commands with full SYSTEM privileges. Security firm Huntress said some of the vulnerabilities were actively exploited after Eclipse posted detailed exploit code in April. Microsoft finished sending out patches only a week ago. GitHub banned Eclipse's account on May 23, and GitLab blocked the account three days after it migrated over from GitHub. While it's possible for large corporations to launch civil lawsuits against researchers under the Computer Fraud and Abuse Act, the U.S. Department of Justice protects researchers who test vulnerabilities in good faith to promote device security.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗