TL;DR
- Legal Stance: Microsoft’s latest stance rules out action against people publishing security research after backlash over the Nightmare-Eclipse dispute.
- Bounty Dispute: Nightmare-Eclipse alleges Microsoft ignored outreach and paid no bounty after GitHub banned the researcher’s account.
- Researcher Rules: Microsoft’s bounty portal and safe-harbor terms still define how researchers submit reports and qualify for review.
- Submission Process: Future cases will test whether MSRC avoids another fight over access, escalation, or payment.
Microsoft said on June 1 it has no intention to pursue action against people conducting or publishing security research, a retreat that followed backlash over the GitHub ban around the Nightmare-Eclipse dispute.
GitHub banned Nightmare-Eclipse’s account on May 27, and Microsoft later described itself as taking the feedback seriously. Researchers now have a narrower legal threat to weigh, but the larger question is whether Microsoft’s disclosure and bounty channels can still be trusted once a zero-day fight turns public.
Microsoft’s statement narrowed the immediate legal threat by saying the company would not pursue action against people conducting or publishing security research.
Microsoft used a public statement to spell out the retreat:
“To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research.”
Microsoft, company statement (via Microsoft)
Why Microsoft’s Reassurance Matters
Nightmare-Eclipse may has moved its exploit publication work to GitLab after the GitHub removal. Public migration to another platform pushed the dispute into a test of how Microsoft handles researchers once a disclosure conflict leaves private channels.
Nightmare-Eclipse accused Microsoft of refused communication attempts and said the company paid no bounty, a single-source damaging claim that remains an allegation rather than an established fact. In the researcher’s account, the work “got zero pennies from doing so”.
Microsoft’s MSRC bounty program is supposed to provide a formal path from vulnerability report to review and reward. Reward ranges on the page run from tens of thousands of dollars for some endpoint zero-days to six-figure sums for some Hyper-V exploit classes, so compensation is part of the trust test rather than a side complaint.
Regardless of past interactions or reputation, Microsoft still accepts vulnerability submissions. Even so, researchers are judging that assurance against whether difficult reports can still move through the channel without friction. The MSRC Researcher Portal is still the named submission route for bounty cases.
Microsoft’s safe harbor policy still defines the rules for testing and reporting. Coordinated vulnerability disclosure means reporting a flaw privately before publishing exploit details, while MSRC is Microsoft’s security response team. For non-specialists, the dispute is about whether that formal process stays credible when a conflict becomes public.
Microsoft’s May Position Still Shapes the Story
In May, Microsoft used sharper language before shifting to its June reassurance. It said several zero-day disclosures had been published without prior coordination and created unnecessary risk for customers.
Microsoft’s earlier MSRC post also said its Digital Crimes Unit could coordinate with law enforcement against actors it Links to criminal activity. The promise not to pursue action against security researchers narrows that enforcement posture by drawing a clearer line between researchers and criminal actors. Tradeoff: keeps the interpretive job while replacing the generic opener and the broad retreat framing with a concrete enforcement contrast.
Earlier BlueHammer rupture had already exposed tensions over Microsoft’s response pace and public exploit releases. In that fight, Katie Moussouris, founder of Luta Security, called the phrase “responsible disclosure” escalatory, saying “Invoking the term ‘responsible’ disclosure was the first strike in my book,” as criticism spread beyond the immediate dispute.
Response-process criticism from cybersecurity researcher William Dormann added another warning sign, with the Tharros expert arguing that Microsoft’s handling may have become more rigid and less effective.
For Brian Levine, executive director of FormerGov, the dispute shows how vendor-researcher trust can break down even when both sides think they have legitimate concerns.
Researchers are likely to judge the softer language through behavior rather than wording. Another serious submission would show whether MSRC can handle a contested report without another fight over access, escalation, or payment.
Microsoft still accepts vulnerability submissions through its established process. If the next case moves cleanly, the June reassurance may start to look durable. If the same friction returns, the reset will look more like damage control than a stable change.
