Microsoft Security Response Center (MSRC) released a defensive blog post calling out the vindictive anonymous security researcher, known as Nightmare-Eclipse, for bypassing coordinated disclosure. Behind the corporate language, the message is clear: Microsoft wants researchers to stay in their lanes. It immediately struck a nerve among cyber pros.

Over the past two months, Nightmare-Eclipse has been fighting a personal vendetta against MSRC, releasing Windows zero-days publicly – 6 in total. These vulnerabilities enabled attackers to elevate system privileges to the system and even bypass BitLocker encryption.

The hacker’s motivation – claims that Microsoft “violated their agreement,” “stabbed them in the back,” “ruined their life,” and left them “homeless with nothing.”

The zero-days got Microsoft’s attention. The tech giant has acknowledged all 6 disclosed vulnerabilities, calling them an “unnecessary risk” that forced its security teams to work around the clock, to understand, protect customers and develop patches.

“The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk,” MSRC’s blog post reads.

The post reads like a warning shot – disclosures outside proper channels face consequences.

Microsoft expresses firm opposition to Nightmare-Eclipse’s actions, and calls any disclosure outside proper coordination “unjustifiable.”

The tech giant is threatening legal action but doesn’t name the targets, using broad language to cover both actual attackers and researchers who “enable them” with the proof of concepts (POC).

“Our security teams … work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers,” the blog post reads.

“Our Digital Crimes Unit will continue bringing cases against these actors and those who enable their criminal activity.”

The blogpost ends with some sort of peace offering – welcoming vulnerability submissions from anyone, “regardless of past interactions or reputation.”

“We invite diverse perspectives,” MSRC said.

“We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”

It’s unclear what legal risks Nightmare-Eclipse faces. While using exploits to gain unauthorized access and break systems is a crime, simply publishing code is a legal grey area. Courts previously in other contexts treated code as a form of speech protected by the First Amendment. A more immediate risk might be a breach of policies.

The largest code-sharing platforms, GitHub and GitLab, have already blocked the disgruntled researcher’s accounts and wiped their code.

Still, GitHub’s policy “allows dual-use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits,” as it has educational value and “provides net benefit to the security community.”

Only in rare cases does GitHub restrict access to disrupt ongoing attacks.