Microsoft threatened a security researcher with criminal prosecution. The cybersecurity community is furious.

TL;DRMicrosoft threatened legal action against a researcher who published unpatched Defender and BitLocker bugs. Veterans warn of a chilling effect.

Microsoft published a blog post on Wednesday criticising a security researcher known as “Nightmare Eclipse” for publicly disclosing a series of unpatched vulnerabilities in Windows Defender and BitLocker. The company then invoked its Digital Crimes Unit, which handles criminal referrals and law enforcement coordination. The cybersecurity community responded with outrage.

The bugs, named BlueHammer, RedSun, UnDefend, and YellowKey, affect Microsoft’s built-in antivirus engine and disk-encryption tool. The researcher published exploit code on GitHub (owned by Microsoft) and GitLab without giving Microsoft time to patch. Some of the vulnerabilities have since been exploited by attackers in real-world attacks, according to Microsoft and CISA.

Microsoft’s position is that the researcher should have reported the bugs privately so the company could fix them before public disclosure. The company called this “responsible” disclosure. Its blog post warned that its Digital Crimes Unit “will continue bringing cases against these actors and those that enable their criminal activity.”