Microsoft held two opposite positions in a single week. That is the flaw.
While the industry re-litigates responsible disclosure, a flaw that bypasses BitLocker is still sitting unpatched. And Microsoft, which wrote the rules of the game, just proved it only follows them when the mood takes it.

While the industry re-litigates responsible disclosure, a flaw that bypasses BitLocker is still sitting unpatched. And the company that wrote the rules of the game just proved it only follows them when the mood takes it.
Let's replay Microsoft's week. One day, the company publishes a post that calls any disclosure of a flaw outside its channels "unjustifiable" and waves the threat of criminal prosecution through its dedicated digital crimes unit. A few days later, jeered by the security community, it explains that of course it has no intention of prosecuting anyone and that coordinated disclosure remains its guiding star. Same facts, two opposite positions, seven days apart.
Meanwhile, one of the six flaws in question bypasses the BitLocker encryption of Windows 11 and is still waiting for its patch. We argue about a researcher's manners while an encryption door stays open.
The industry, true to form, immediately replayed its favorite debate, the one about responsible disclosure. Should the researcher have waited. Does Microsoft have the right to threaten. We took sides, we got outraged, we dredged up our worst memories of reporting to the MSRC. And we missed what the sequence really showed.
A company that changes its mind in a week has no doctrine
Microsoft is no naive player in disclosure, it is the inventor of it. It was there, in the mid-2000s, that the loaded term "responsible disclosure," which puts the blame on the researcher, was swapped for "coordinated disclosure," which describes a two-party process. Twenty years of practice, a written doctrine, entire teams that keep it alive. The knowledge is there, massive, available.
And at no point did it carry any weight. When six flaws embarrassed the company, it was not that knowledge that spoke up, it was the lawyers. When the community reacted, it was no longer the lawyers either, it was communications. Microsoft's position that week was not dictated by what it knows about security, it was dictated by the last person to shout loudly enough. That is what the sequence reveals, and it is far more worrying than a rude researcher. One of the most mature companies in the sector, called on to defend a line, changed it in seven days. That is not a doctrine, it is a mood.

The researcher is no hero, and that changes nothing
Let's be clear, I do not absolve Nightmare Eclipse. Publishing exploit code for unpatched flaws, three of which did serve in real attacks before landing in CISA's catalog of exploited vulnerabilities, is nothing like an act of public service. There are victims at the end of it, organizations with no patch and no choice.
But look at what that admission does to Microsoft's argument. Even granting that the researcher acted wrongly, nothing explains why a company of this size responds with a legal reflex one day and a denial the next. The researcher's supposed fault does not manufacture a coherent position for the company. It only reveals that it had none.
The real breakdown is in the plumbing, not in the morals
There was a real subject, though, and no one looked at it. The researcher claims to have first reported these flaws by the book, before Microsoft deleted the account used to escalate them, withheld their bounties and erased their name from a security advisory. True or false in this particular case, it hardly matters. That is exactly where real security is decided, in the state of the channel that connects those who find the flaws to those who fix them. Clog that channel, and all that is left for the researcher is silence or wild publication. Both end up as zero-days.
A disclosure process is not a courtesy reserved for well-mannered researchers. It is a risk-reduction mechanism, with deadlines kept, acknowledgments, payment, attribution. Microsoft knows all of this by heart. It simply chose, under pressure, to defend its reputation rather than fix its plumbing.
The real question was never whether the researcher was responsible. It is how the company that wrote the manual on disclosure could, in a single week, forget that it had written it. On July 14, the researcher promises a fresh volley. That day we will see whether Microsoft has found a backbone again, or only a new mood.
Questions fréquentes
What are the two opposite positions Microsoft held?
One day, the company calls any disclosure outside its channels "unjustifiable" and mentions criminal prosecution through its dedicated digital crimes unit. A few days later, under criticism, it assures that it has no intention of prosecuting and reaffirms coordinated disclosure as its guiding star.
Which flaw stays unpatched during this debate?
One of the six flaws in question bypasses the BitLocker encryption of Windows 11 and is still waiting for its patch, while the industry argues about the researcher's manners.
Does the article defend the researcher Nightmare Eclipse?
No. The author does not absolve them: publishing exploit code for unpatched flaws, three of which were used in real attacks, is not an act of public service. But that does not explain the inconsistency of Microsoft's response.
Why is Microsoft particularly concerned by disclosure?
Microsoft is its inventor: it was there, in the mid-2000s, that "responsible disclosure" was replaced by "coordinated disclosure." Twenty years of practice and a written doctrine that nonetheless carried no weight in its reaction.
What is the disclosure "plumbing" according to the article?
It is the channel that connects those who find the flaws to those who fix them, with deadlines kept, acknowledgments, bounties and attribution. When this channel is clogged (a deleted account, withheld bounties), all that remains is silence or wild publication, which end up as zero-days.
Sources & méthodologie
- Microsoft MSRC, A shared responsibility: protecting customers through coordinated vulnerability disclosure (
- CISA, Known Exploited Vulnerabilities (KEV) Catalog

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
