Microsoft Threatens Legal Action Over Zero-Day Leaks
Data Breach TodayArchived May 29, 2026✓ Full text saved
Security Researchers Fear Broader Legal Pressure on Bug Disclosures Microsoft is pursuing legal action after a researcher publicly released six Windows zero-days and exploit code following a breakdown in coordinated disclosure talks, escalating tensions over vulnerability disclosure, platform moderation and protections for independent security researchers.
Full text archived locally
✦ AI Summary· Claude Sonnet
Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)
Microsoft Threatens Legal Action Over Zero-Day Leaks
Security Researchers Fear Broader Legal Pressure on Bug Disclosures
Tiffany Wang • May 28, 2026
Credit Eligible
Get Permission
Microsoft is pursuing legal action after a researcher publicly released six Windows zero-days and exploit code in what the the company described as an unauthorized disclosure. (Image: Shutterstock)
The recent actions of a security researcher who disclosed six Windows vulnerabilities without informing Microsoft triggered the software giant to threaten to pursue criminal action for unauthorized disclosure.
See Also: OnDemand I Remediate the Most Exploitable Vulnerabilities First and Fast
Microsoft said Wednesday, "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity - coordinating as needed with law enforcement around the world." The statement was part of an update on a rogue vigilante whose Microsoft, GitHub and GitLab accounts were taken down in sequence for bypassing authority to post zero-days.
"The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma and MiniPlasma were not responsibly disclosed," Microsoft said. "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences."
The researcher, who goes by Nightmare Eclipse or Chaotic Eclipse, called Microsoft's accusation defamatory. Eclipse claimed to have followed Coordinated Vulnerability Disclosure standards at first, but Microsoft refused to communicate, declined to pay and deleted the Microsoft Security Response Center account used to report the bugs.
While Eclipse's vindictive zero-day disclosures flout industry best practices, Microsoft, which owns code-sharing site GitHub and partners with software development platform GitLab, is putting the security community on edge with its threats of legal action.
"I'm deeply uncomfortable with Microsoft attempting to weaponize their extensive law enforcement contacts to arrest people who post zero-days in the products," said security researcher Kevin Beaumont, who worked at Microsoft five years ago, on Mastodon.
"GitHub has long been a source for zero-days exploits in competitor products. It still is. While I worked there GitHub had a policy saying they wouldn’t remove them," Beaumont said. "By continually removing just exploits for their own products from GitHub and declaring 'criminal activity,' it's a Rubicon you shouldn't cross."
Eclipse dropped six vulnerabilities in six weeks. UnDefend, RedSun and BlueHammer can be exploited together in a coherent attack chain, enabling attackers to bypass Microsoft's tamper-protection safeguards and escalate privileges locally as authorized users.
YellowKey grants unrestricted shell access to machines protected by BitLocker, a feature that encrypts disk data on tampered devices. And GreenPlasma and MiniPlasma enable unprivileged users to elevate access and execute commands with full SYSTEM privileges.
Security firm Huntress said some of the vulnerabilities were actively exploited after Eclipse posted detailed exploit code in April. Microsoft finished sending out patches only a week ago.
GitHub banned Eclipse's account on May 23, and GitLab blocked the account three days after it migrated over from GitHub.
While it's possible for large corporations to launch civil lawsuits against researchers under the Computer Fraud and Abuse Act, the U.S. Department of Justice protects researchers who test vulnerabilities in good faith to promote device security.