Microsoft calls zero-day releases ‘never justifiable’ as researcher threatens to drop more

Microsoft has published its first response to a weeks-long campaign of uncoordinated Windows zero-day releases, condemning the disclosures as “never justifiable” and suggesting that it could bring cases against people who enable cybercrime.

A pseudonymous researcher known as Nightmare Eclipse began releasing the vulnerabilities in April. Each was published with working proof-of-concept code to the Microsoft-owned code repository GitHub, making them immediately available to both attackers and security professionals.

The researcher's GitHub account has since been removed, and their Blogger page, where they have been posting since April, appears to be down as of publication.

The first three of the six vulnerabilities — known as BlueHammer, UnDefend and RedSun, all disclosed in April — have been exploited in live intrusions, according to Microsoft’s own patch advisories. All three appear on the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) catalog of known exploited vulnerabilities.

The three more recent releases — YellowKey, GreenPlasma and MiniPlasma, all disclosed earlier this month — have no patches and no confirmed exploitation as of publication.

The researcher has not publicly identified themselves. In cryptographically signed posts on their Blogger page they have set out grievances against Microsoft, alleging the company deleted their Microsoft Security Response Center account, withheld bounty payments and removed their attribution from at least one advisory.

“I could have made some insane cash selling this but no amount of money will stand between me and my determination against Microsoft,” they stated.

The researcher threatened a further release on July 14 — the date scheduled for Microsoft's Patch Tuesday — warning they would “make sure your bones are shattered that day.”

In a blogpost on Wednesday, Microsoft said: “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.”

The company stopped short of directly threatening legal action, but said: “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

Katie Moussouris, founder of Luta Security and the architect of Microsoft's original bug bounty program, posted on Bluesky on Thursday that Microsoft's use of the phrase "responsible disclosure" was itself loaded. "No vendor uses that term unless they want to call someone irresponsible," she wrote.

Industry frustrations

Although the details about the researcher’s complaints have not been verified, other security professionals have levied similar complaints about Microsoft’s handling of vulnerabilities in the past. Trend Micro's Zero Day Initiative publicly criticised Microsoft in 2024 after reporting an actively exploited vulnerability and receiving no acknowledgment when it was patched.

Tenable's then-chief executive published a post on LinkedIn in 2023 accusing Microsoft of leaving customers “deliberately kept in the dark” about an Azure vulnerability that went unpatched for months after disclosure. Check Point researcher Haifei Li said separately that Microsoft had patched a bug he reported without notifying him, and that coordinated disclosure “can't be just one-sided.”

Moussouris warned that researchers dropping zero-day vulnerabilities wasn’t ideal, but not the worst thing a researcher could do. “Non-disclosure is far worse,” she wrote. “What drives researchers toward non-disclosure? Threats from vendors.”

Microsoft’s blog post acknowledged: “We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities. 

“Our team will continue to support responsible research as we do everything we can to quickly investigate, address, and release updates for vulnerabilities that impact our customers. We always have and will continue to welcome vulnerability submissions from anyone through our public researcher portal, regardless of past interactions or reputation.”