Microsoft gave a message of legal action and cooperation with law enforcement after a security researcher using the pseudonym Nightmare Eclipse made Windows vulnerabilities and exploit codes public. The researcher shared the vulnerabilities called BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma and MiniPlasma on GitHub and GitLab. The vulnerabilities affected Microsoft products that directly touch the security layer, such as Windows Defender and BitLocker. Therefore, the debate was not just about tension between a researcher and a company, but also targeted the relationship of trust in the Windows ecosystem.
Microsoft Security Response Center stated in its article published on Thursday that the vulnerabilities in question were not reported “responsibly”. The company argued that the researcher made the vulnerabilities public without reporting them to Microsoft, creating unnecessary risk for customers. Microsoft also said its Digital Crimes Unit team will conduct civil litigation, technical countermeasures against actors that enable criminal activities, and coordinate with law enforcement when necessary.
Nightmare Eclipse, on the other hand, claimed in his blog posts published in recent weeks that he contacted Microsoft, but that the company treated him badly. The researcher claimed that his access to his Microsoft Security Response Center account had been removed. The fact that GitHub is owned by Microsoft further escalated the controversy with the removal of the researcher’s GitHub account. Closing the GitLab account did not stop the spread of vulnerabilities; The codes and technical details soon spread to different channels of the security community.
There is also a more concrete risk on the security side of the issue. Huntress explained that he has seen BlueHammer, RedSun and UnDefend tools in real attack investigations. CISA also tracked the CVE-2026-33825 registry for BlueHammer and gave US federal agencies an expedited action schedule. This detail shows that publicly available PoC codes are not just theoretical research material.
Where should researchers draw the line in open sharing?
To protect users, researchers must first report vulnerabilities to the manufacturer, who must take the report seriously and provide a technical response within a reasonable time. The problem here grows as both parties take steps that damage the relationship of trust. Microsoft advocates a “coordinated vulnerability notification” approach. Many in the security community saw the company’s “responsible disclosure” language and legal implication as a means of putting pressure on researchers.
The main deficits in the incident are listed as follows:
- BlueHammerrisks local privilege escalation via Microsoft Defender.
- RedSunIt was shared with the claim of reaching the SYSTEM level on Windows systems.
- undefendis known for the scenario of blocking Defender updates.
- YellowKeyis especially important for stolen or physically accessed devices due to its claim to bypass BitLocker protection.
- GreenPlasma And MiniPlasmawas added to the list with claims of privilege escalation in different system components of Windows.
To be honest, we see that Microsoft is managing the crisis on two separate fronts here. On the one hand, the company must quickly protect its customers, and on the other hand, it must move forward without losing its connection with the research community. Experienced figures in the security world, such as Katie Moussouris, say that statements with legal implications may distract researchers from reporting vulnerabilities to Microsoft. Such a break means risks that are patched later for banks, public institutions, hospitals and SMEs that use Windows devices on an enterprise scale, especially in Türkiye.
Microsoft’s best move would be to transparently explain the break in the notification process, instead of pressuring the researcher only on legal grounds. It should be noted that Nightmare Eclipse’s direct release of vulnerabilities put users at risk. But when big technology companies position security researchers as adversaries, attackers can exploit this loophole faster. Windows security is strengthened not just by patches but by the fact that researchers still want to knock on the door.