Microsoft Faces Corporate Backlash After Threatening Security Researcher with Criminal Probe
Redmond, Friday, 29 May 2026.
Microsoft’s threat of criminal prosecution against an independent security researcher has ignited industry backlash, exposing significant corporate risks as three disclosed software flaws face active real-world exploitation.
The Escalation of a Coordinated Disclosure Dispute
In what has rapidly deteriorated into a public relations and security crisis for Microsoft (MSFT), a dispute with an independent security researcher known interchangeably as “Nightmare Eclipse,” “Chaotic Eclipse,” and “Dead Eclipse” reached a boiling point in late May 2026 [1][2][3]. Over a period of approximately six weeks leading up to May 27, the researcher publicly disclosed a total of six zero-day vulnerabilities affecting core Windows components, including Defender and BitLocker [2][3]. The researcher alleged that Microsoft operated in bad faith by ignoring vulnerability reports, arbitrarily closing support tickets, refusing to issue bug bounty payouts, and ultimately revoking their Microsoft Security Response Center (MSRC) account access [1][2]. In retaliation, the researcher began publishing weaponized proof-of-concept exploits on open-source repositories, fundamentally breaking the modern norms of coordinated vulnerability disclosure [1][2][3].
Legal Threats and the Chilling Effect on Security Research
Rather than de-escalating the conflict, Microsoft opted for an aggressive legal posture. On May 27 and 28, 2026, the technology giant published statements heavily criticizing Nightmare Eclipse for putting customers at risk through uncoordinated disclosures [1][2][4]. Microsoft announced that its Digital Crimes Unit (DCU) intends to pursue civil litigation, technical countermeasures, and criminal referrals in coordination with global law enforcement [1]. Concurrently, the researcher’s accounts were scrubbed from Microsoft-owned GitHub around May 23, and subsequently banned from GitLab between May 26 and May 27 for hosting weaponized exploit code [1][2][3].
Critical Risks for Enterprise Security Teams
For Chief Information Security Officers (CISOs), the immediate technical risk centers on the 3 remaining unpatched vulnerabilities: YellowKey, GreenPlasma, and MiniPlasma [3]. MiniPlasma represents a particularly critical threat, as it targets the Windows Cloud Filter driver to escalate standard user privileges directly to SYSTEM-level access [3]. Multiple independent parties have confirmed that the MiniPlasma exploit successfully executes on Windows 11 systems running the latest May 2026 software updates [3]. With no official patches available for these three remaining exploits, system administrators are currently forced to rely on active monitoring and compensating security controls to defend their networks [3].