{"id":222015,"date":"2026-05-28T16:18:00","date_gmt":"2026-05-28T20:18:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/28\/microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity-uproar\/"},"modified":"2026-05-28T17:15:13","modified_gmt":"2026-05-28T21:15:13","slug":"microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity-uproar","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/28\/microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity-uproar\/","title":{"rendered":"Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar"},"content":{"rendered":"

Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar<\/a><\/p>\n

https:\/\/www.pcmag.com\/news\/microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity<\/a><\/p>\n

Publish Date: 2026-05-28 16:18:00<\/a><\/p>\n

Source Domain: www.pcmag.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n The cybersecurity community is blasting Microsoft for threatening legal action against a disgruntled researcher who\u2019s been exposing Windows vulnerabilities outside the company\u2019s normal disclosure process.\u00a0The controversy deals with a researcher known as \u201cNightmare Eclipse,\u201d who has published six unpatched \u201czero-day\u201d flaws in recent weeks. This includes a proof-of-concept exploit for a Windows vulnerability known as BlueHammer that can allow an attacker to escalate their privileges to the administrator level.\u00a0Researchers normally submit such findings to the Microsoft Security Response Center (MSRC) for patching to prevent hackers from exploiting them. But Nightmare Eclipse has deliberately ignored the responsible disclosure route, citing claims that Microsoft mistreated them.\u00a0
\n\u201cThey mopped the floor with me and pulled every childish game they could,\u201d the researcher wrote last month, without elaborating. \u201cIt was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision.\u201dThe tension only escalated after Nightmare Eclipse disclosed more flaws this month, writing: \u201cMicrosoft has chosen to make this worst instead of resolving the situation like adults, they pulled every childish game possible.\u201d On Wednesday, the software giant responded with its own blog post that reiterated the need for responsible disclosure to prevent hackers from abusing such flaws and contained a legal threat.\u00a0\u00a0\u201cUncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences,\u201d the company wrote, later adding: \u201cOur Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity \u2013 coordinating as needed with law enforcement around the world.\u201d\u00a0Microsoft goes on to say \u201cany disclosure outside proper coordination\u201d could harm its customers. But that last part about pursuing potential charges against Nightmare Eclipse has sparked an uproar in the cybersecurity community since one could argue the researcher is doing Microsoft a service by exposing critical bugs.\u00a0<\/p>\n

This Tweet is currently unavailable. It might be loading or has been removed.<\/p>\n

\u201cMicrosoft will do anything to stop people posting zero-days except fix MSRC,\u201d tweeted Zack Korman, CTO of cybersecurity provider Pistachio. Other researchers are sharing their stories of reporting a flaw to Microsoft, but the company refusing to pay a reward or officially fixing the problem and quietly issuing a patch later.”MSRC strung me along for a few extra months\u00a0to keep me quiet, then broke their word….The interaction left such a bad taste in my mouth that I don\u2019t really feel like interacting with\u00a0them again,” wrote Gabriel Landau, a cybersecurity researcher and developer of anti-malware programs for Windows. Nvidia support engineer Eric Warnke also wrote of Microsoft: \u201cYou cannot compel independent security researchers. You can only make it more or less attractive to work with you. Microsoft made it less attractive, and now they’re writing blog posts about shared responsibility. That’s a CYA, not a bug program designed to encourage reporting.\u201d\u00a0<\/p>\n

Recommended by Our Editors<\/p>\n

This Tweet is currently unavailable. It might be loading or has been removed.<\/p>\n

Kevin Beaumont, a security researcher who previously worked at Microsoft, is also doubtful that Remond could successfully sue anyone for violating a company’s responsible disclosure policy, which is often set by the company itself.\u00a0\u00a0\u00a0\u201cIf Microsoft\u2019s tactic is to try to criminalize not following often arbitrary \u2018responsible disclosure\u2019 frameworks, good luck defending that in court \u2014 because there\u2019s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,\u201d he wrote noting that the Microsoft-owned Github often hosts software exploits and hacking techniques, but doesn’t necessarily remove them. \u00a0\u201cMicrosoft should be concentrating on making better, more secure products that one person can\u2019t run rings around,\u201d he added.\u00a0In the meantime, both the GitHub and GitLab pages for Nightmare Eclipse have been taken down, along with their MSRC account, preventing them from properly disclosing future bugs to Microsoft. However, the researcher has threatened to publish a\u00a0 new vulnerability on July 14, warning: \u201cI will make sure your bones are shattered that day.\u201d<\/p>\n

About Our Expert<\/p>\n

Michael Kan
\n Principal Reporter<\/p>\n

Experience<\/p>\n

I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service. I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.<\/p>\n

Read Full Bio<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft Threatens Researcher Over Bug Reports, Triggers Cybersecurity Uproar https:\/\/www.pcmag.com\/news\/microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity Publish Date: 2026-05-28 16:18:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":222017,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/i.pcmag.com\/imagery\/articles\/07FMtL2ORWC4CdLd0CUQ6V7-1.fit_lim.size_1200x630.v1779991171.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,31,32,27],"class_list":["post-222015","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222015"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=222015"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222015\/revisions"}],"predecessor-version":[{"id":222019,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/222015\/revisions\/222019"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/222017"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=222015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=222015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=222015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}