Microsoft is facing criticism from cybersecurity experts after warning that it could take legal action against people who enable criminal activity, following the publication of several unpatched vulnerabilities affecting Windows products.
The dispute involves a researcher using the name Nightmare Eclipse, who released technical details and proof-of-concept code for flaws affecting tools including Microsoft Defender and BitLocker. Some of the vulnerabilities were published on GitHub and GitLab before fixes were available, raising concerns that attackers could use the information to target organisations and individual users.
Microsoft said the researcher did not follow its usual disclosure process, which allows the company time to investigate security weaknesses and issue patches before technical details are made public. The company argued that releasing exploit code too early could expose customers to unnecessary risks.
The row intensified after Microsoft referred to the role of its Digital Crimes Unit, which works with law enforcement agencies and other organisations to combat cybercrime.
“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity—coordinating as needed with law enforcement around the world,” Microsoft wrote.
Some security professionals interpreted the statement as a warning to researchers who publish details of unresolved flaws. Critics said the language could damage trust between Microsoft and the cybersecurity community, particularly if researchers become reluctant to report vulnerabilities for fear of legal consequences.
Nightmare Eclipse has claimed that communication with Microsoft had broken down before the disclosures were published. The researcher also alleged that access to their Microsoft Security Response Center account, which is used to submit vulnerability reports privately, had been removed.
The disagreement has revived a long-running debate over how companies and independent researchers should handle serious security flaws. Many technology firms operate bug bounty programmes and offer financial rewards for privately reported vulnerabilities. However, researchers have argued that the process can become difficult when reports are delayed, disputed, or poorly managed.
Katie Moussouris, founder of Luta Security and a former Microsoft employee, said the company’s approach could discourage researchers from coming forward.
“Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.”