Microsoft Wants To Throw Researcher In Jail

In April 2026 a researcher using the handles Nightmare/Chaos Eclipse published a string of zero‑day vulnerabilities — Blue Hammer, Red Sun, Undefeated, Yellow Key, Green Plasma and Mini Plasma — mostly local privilege escalations and one BitLocker bypass, allegedly after a dispute with Microsoft. Microsoft responded with a blog condemning the non‑responsible disclosures and warning its Digital Crimes Unit will pursue actors and facilitators, language many in infosec read as a veiled legal threat to researchers. Legal experts and commentators note publishing exploit code is not inherently criminal absent proof of knowing facilitation, and these bugs require prior access or physical possession rather than remote compromise. The incident has prompted a wave of public criticism of Microsoft’s MSRC handling and raised concerns about a chilling effect on responsible disclosure and researcher collaboration.