Microsoft Backtracks on Legal Threats After YellowKey Zero-Day Dispute

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 2 min. read

Calendar icon Published on

microsoft researcher legal
Image credit: Microsoft

Microsoft has moved to calm a growing dispute with security researchers after backlash over its response to public Windows zero-day disclosures.

The controversy centers on Chaotic Eclipse, also known as Nightmare-Eclipse, who published YellowKey, a Windows zero-day exploit affecting BitLocker. Microsoft said the flaw and several other vulnerabilities were not shared with the company before proof-of-concept code appeared publicly.

Microsoft faces backlash over YellowKey dispute

Microsoft argued that uncoordinated disclosure puts customers at risk because attackers can use technical details before patches or mitigations are ready.

The company pointed to its Coordinated Vulnerability Disclosure policy and said researchers should report flaws privately before publishing exploit code.

The tone of Microsoft’s response sparked criticism after the company suggested that some uncoordinated disclosures causing harm could lead to legal action.

Security researchers and industry figures pushed back, warning that legal threats could damage Microsoft’s relationship with the research community. Microsoft later clarified that it does not intend to pursue action against people conducting or publishing security research, and said law enforcement would only become involved when someone breaks the law and causes real customer harm.

Researcher claims accounts were removed

Nightmare-Eclipse claimed Microsoft banned their GitHub account and deleted the Microsoft account used for bug reports. The researcher described the company’s actions as vindictive.

Microsoft denied removing MSRC researcher portal accounts and said anyone can still submit vulnerabilities through the portal. The company also said it could not confirm which account the researcher was referring to.

The dispute has drawn wider attention because it reflects a long-running tension in security research. Vendors want private reporting to reduce user risk, while researchers often complain about poor communication, dismissed reports, or limited bounty payouts.

The wider disclosure debate is growing

The case comes as another public exploit has raised concerns. A separate Visual Studio Code zero-day was recently disclosed outside Microsoft’s security process, with exploit code that can reportedly steal GitHub authentication tokens after a victim clicks a malicious link.

That makes Microsoft’s position more difficult. The company wants to discourage public exploit releases for unpatched flaws, but the security community has warned that heavy-handed responses could reduce trust and make researchers less likely to cooperate.

For now, Microsoft appears to be walking back the legal angle while still defending coordinated disclosure as the safest path for customers.

Via Windows Central

More about the topics: microsoft, security

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages