After a security researcher published a series of unpatched bugs in Microsoft products, along with code to exploit them, the company is now threatening to take legal action and call the cops on them. Microsoft’s veiled threat reignites a long-running argument over what responsibility, if any, security researchers have to disclose vulnerabilities affecting large and wealthy tech giants.

On Wednesday, Microsoft published a blog post criticizing the researcher, who goes by the handle “Nightmare Eclipse,” for publicly disclosing a series of bugs, including BlueHammer, RedSun, UnDefend, and YellowKey. The flaws affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker. 

The core of Microsoft’s complaints is that the researcher did not attempt to report the bugs so that the company could fix them. That would have been “responsible,” as Microsoft’s blog put it. The other side of the company’s argument is that by publishing the details of the bugs and how to exploit them before they were patched, Nightmare Eclipse may have aided malicious hackers. Some of the vulnerabilities Nightmare Eclipse disclosed have since been used by hackers in real-world attacks, according to Microsoft, as well as the U.S. cybersecurity agency CISA.

“Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” Microsoft wrote. (Microsoft’s Digital Crimes Unit has the mission of protecting the company through different strategies, including “civil legal actions, technical countermeasures, criminal referrals, and public-private partnerships,” according to its website).

In a series of blogs published in the last couple of weeks — without providing many specific details — Nightmare Eclipse claimed to have been in contact with Microsoft, but the company allegedly mistreated them, including revoking access to their Microsoft Security Response Center account, the portal where researchers can report vulnerabilities to the tech giant. Nightmare Eclipse’s implication was that they had no choice but to release the vulnerabilities publicly, which essentially meant that at that point they were zero-days, a specific term for security flaws that are unknown to the software maker affected at the time they are disclosed or exploited.

The researchers published the bugs on open source repositories GitHub (owned by Microsoft) and GitLab. The researchers’ accounts on those platforms have been banned. 

Nightmare Eclipse and Microsoft did not respond to a request for comment. 

Cybersecurity veterans warn of chilling effect

This public spat brings back a long-running and still somewhat controversial debate: Do independent security researchers have a duty to make sure the vulnerabilities they find get fixed? And how far are they supposed to go to make sure the companies whose products are vulnerable actually fix them? 

One part of this debate, which has been fully settled and widely recognized, is that researchers deserve to get paid for their work. While it may sound obvious these days, it took years of struggle, captured in part during a campaign launched in 2009 called “No More Free Bugs.” Almost 20 years later, most companies small and large pay “bug bounty” financial rewards, which can today run as high as six figures or more to researchers who privately disclose bugs and coordinate publishing their details once the bugs are fixed.

In response to this latest controversy with Nightmare Eclipse, countless researchers have shared their bad experiences reporting bugs to Microsoft. It’s fair to say that much of the cybersecurity community is vocally unhappy about how Microsoft is handling this issue. This includes cybersecurity veterans, such as Luta Security founder Katie Moussouris, who while working at Microsoft in the mid- to late 2000s pioneered bug bounties and convinced the technology giant to move away from the concept of “responsible disclosure” by framing the process as “coordinated disclosure.”

“Invoking the term ‘responsible’ disclosure was the first strike in my book,” Moussouris told TechCrunch, referring to Microsoft’s blog post. “Adding a threat of prosecution by mentioning [Digital Crimes Unit] was over the top, and will only result in security researchers distrusting Microsoft.”

Moussouris warned that the consequences of security researchers losing trust with Microsoft could result in a chilling effect of fewer people coming forward to report bugs, “making it less safe for all of us.”

Security researcher and former Microsoft employee Kevin Beaumont also called out Microsoft in a blog post, describing the company’s position a “dumpster fire of its own making.” 

“Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” wrote Beaumont. “Responsible disclosure quite often is framed to protect the product owner, not the customer — using it to try to criminally prosecute people is a new low.”

Groq is looking to raise $650 million in new funding from existing investors, sources tell Axios, as it leans into its inference neocloud business that relies on its homegrown AI chip and systems.

In December, Groq struck one of those not-an-acquisition agreements with Nvidia for a reported $20 billion, which involved the departure of some top-level senior Groq employees to the chip giant and the licensing of Groq’s hardware technology to Nvidia. That deal was good news for the startup’s investors, who got paid out in cash with what would have been Nvidia’s largest purchase, if the deal was a full-acquisition, Axios reports.

Now these investors have been asked to pony up and back the company’s plans to grow its inference cloud business, which lets developers and enterprises host their inference-hungry apps. Inference is the processing that happens after an AI prompt and is currently a much bigger need in the AI world than model training.

The new direction is led right now by Groq’s interim CEO and CFO, Adam Winter and Matt Eng, respectively. 

In some ways, the $650 million in funding is guaranteed. Axios reports that Groq’s backers Disruptive and Infinitium have agreed to fill the round should other existing investors not want their pro-rata shares.

The people deciding that AI can replace your job are also the ones least likely to understand what your job truly involves, according to Box founder Aaron Levie, who pointed to this as an example of “AI psychosis.” Indeed, ClickUp recently cut 22% of its workforce for AI agents, tech layoffs in 2026 are already nearly matching all of 2025, and DuckDuckGo installs are climbing from users who want Google to stop forcing AI into search and just give them links. 

Watch as TechCrunch’s Equity podcast hosts Kirsten Korosec, Anthony Ha, and Sean O’Kane dig into what happens when the AI-pilled and the AI-skeptical are both right at the same time, plus three deals worth knowing about and Waymo’s new robotaxi hitting the road. 

Subscribe to Equity on YouTube, Apple Podcasts, Overcast, Spotify and all the casts. You also can follow Equity on X and Threads, at @EquityPod.