It was around 2000. I was running Legion across entire Class B ranges, watching open Windows shares scroll up the screen faster than I could read them. C$. ADMIN$. Whole NT4 boxes answering null sessions like a door with no lock and a welcome mat on the floor. You didn’t need a password. You needed curiosity and a free afternoon.
The Microsoft of that era had no Patch Tuesday. No Security Response Center worth the name. Security was a feature request that lost to the ship date, every quarter, on purpose. The company that today runs one of the most disciplined vulnerability programs on the planet once shipped operating systems to hospitals and banks with the equivalent of the front door propped open.
Go back a little further, to 1995. Windows 95 shipped in such a hurry that calling it finished was generous. There was no internet patch. There was barely an internet. So the repairs came the only way they could, on physical media, long after the launch party. Service Pack 1 landed half a year later. The deeper fixes in OSR2 went out OEM-only, which meant you could not download them and could not buy them off a shelf. You got the version of the operating system that actually worked by purchasing a brand new computer that happened to ship with it. The fix existed. It just wasn’t for you.
So how did we get from there to here?
Outside people kept kicking the tires. Researchers, hobbyists, the kids writing GUI front-ends for the NetBIOS Auditing Tool because the command line scared off the curious. People with no NDA, no badge, no reason to care except that the door was open and someone should say so. Microsoft’s security maturity was not born in Redmond. It was forced on Redmond from the outside, one embarrassing disclosure at a time, until the cost of ignoring researchers finally exceeded the cost of listening to them.
Which is what makes this month so strange. Microsoft is now threatening to put one of those people in prison.
What Actually Happened
A researcher operating as Nightmare Eclipse, reportedly a former Microsoft employee, published six Windows zero-days with working exploit code: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. They hit Windows Defender and BitLocker. The crown jewels. The things that stand between a stolen laptop and a stolen life.
And these two are not optional extras. Full-disk encryption and endpoint defense are the non-negotiable floor of every serious corporate security baseline. Open any GRC program, any device-compliance policy, any ISO 27001 control set or CIS benchmark, and you find the same two requirements near the top: the disk is encrypted, the endpoint is protected. The moment you mark a fleet “compliant,” you have asserted in writing that those two controls hold. So a flaw in BitLocker or Defender doesn’t dent one laptop. It dissolves the assumption the entire compliance chain is built on. Every conditional-access rule, every “trusted device” gate, every downstream audit attestation inherits the crack. Now count the machines resting on that floor. Hundreds of millions of corporate endpoints, a large share of them in regulated, safety-critical, and national-security-adjacent work, are certified compliant precisely because those controls are presumed sound. When the floor moves, everything standing on it moves with it.
On May 28, Microsoft put out a blog condemning the uncoordinated releases and signaled that its Digital Crimes Unit was weighing criminal action. Before that, the company had already deleted the researcher’s GitHub account, their GitLab account, and the Microsoft Security Response Center account they used to report bugs in the first place. The researcher’s account of it: denied bounties, no communication, public humiliation in advisories, and then the door slammed and the locks changed. They have promised a larger release on July 14, with language I won’t dignify by quoting, except to say it does not read like someone who feels heard.
Here is the part I won’t paper over, because the whole point of this profession is intellectual honesty. Three of those six bugs got picked up and used in the wild once the proof-of-concept code was public. Real users took the hit. That is not a footnote. When you dump a weaponized exploit to settle a grudge, the people who pay are never the executives who wronged you. They’re a school district in Ohio and a clinic in Recife running the patch cycle a week behind.
So this is not a story with a clean hero. It’s a story about a system that failed twice.
Coordinated Disclosure Is a Contract
Dustin Childs from the Zero Day Initiative put it cleanly: coordinated disclosure is a two-way street. I’d go further. It’s a contract, and like every contract it has obligations on both sides.
The researcher’s side: report through the right channel, give the vendor a reasonable window, don’t hand a loaded gun to the internet on day zero. The vendor’s side, the part vendors love to forget: actually answer. Triage in good faith. Pay what you promised. Credit the work. And under no circumstances delete the reporting channel of the person trying to do the right thing, because the moment you close the legitimate path, you don’t stop the disclosure. You just guarantee it arrives through the illegitimate one.
Katie Moussouris, who built the coordinated disclosure model at Microsoft before the company decided to forget she did, warned about exactly this: the chilling effect. Threaten researchers with prison and they stop reporting. They don’t stop finding. The bugs are still there. You’ve just blinded yourself to them and called it a win.
You Cannot Grade Your Own Homework
Now widen the lens, because the beef is the symptom and this is the disease.
Why can’t a company just test its own software and be done with it? Microsoft employs some of the best security engineers alive. So does every hyperscaler. Why does the outsider with a handle and a grudge find the thing the internal team missed?
Because the internal team is grading its own homework, and the incentives are rigged against them before they sit down. I’ve run internal QA. I’ve also been the founder staring at a ship date. The internal engineer who flags a deep architectural flaw two weeks before launch is not thanked. They’re the obstacle. They’re the reason the quarter slips. The corporativist gravity inside every company bends toward speed and go-to-market, and it bends hardest precisely on the issues that matter most, the ones expensive enough to delay a release. Internal QA can find the bugs that are cheap to admit. It structurally cannot find the bugs that are expensive to admit. Different incentive, different blindness.
Think about buying a house. You would never let the builder’s own crew certify the foundation and call it independent. The builder is the last person on Earth who wants to discover a cracked slab, because finding it costs him money and time and the closing date. So you hire an inspector who has never met the builder, who gets paid the same whether the house passes or fails, whose entire professional reason to exist is to find the thing the builder is motivated not to see. The inspector isn’t hostile to the house. The inspector is the only honest signal in the room.
That’s an external security researcher. That’s a penetration test. It is one layer of a real defense in depth: adversarial, independent, and structurally immune to the internal pressure to look away.
And here’s the thing most people outside the field don’t realize: this isn’t my opinion. It’s encoded in the building codes. NIST SP 800-53 carries CA-8, Penetration Testing, as a control in its own right, and pairs it with CA-2, which demands assessors with a genuine degree of independence rather than the team that wrote the code marking its own exam. NIST SP 800-115 is an entire technical guide devoted to how outside testing should be done. ISO/IEC 27001 requires managed technical vulnerability handling and independent review of the security program, not a self-attestation. PCI-DSS mandates external penetration testing by a qualified party on a schedule, because the card brands learned the hard way that internal sign-off and real-world security are not the same number.
Read those standards as what they actually are: a confession. Every one of them is the regulatory system admitting, in formal language, that an organization cannot be trusted to find its own most dangerous flaws. The independent adversary is not a nice-to-have bolted on for compliance theater. It’s the control. The external researcher is the human form of CA-8.
Microsoft, of all companies, knows this. It runs one of the largest bug bounty programs in the world precisely because it accepts the premise. Which is why threatening a researcher with the Digital Crimes Unit isn’t just heavy-handed. It’s the company arguing against the very control that made it safe.
The Code Isn’t a Poster
So if outsiders need that much power to find what insiders can’t, what restrains the outsider? A code. And whether you’re actually bound by it.
I earned my CISSP years ago. Not as a line on a business card. I earned it because the discipline behind it translated directly into how I ran operations and how I slept at night. The certification rests on four canons, and they’re ranked on purpose. Protect society first. Act honorably, honestly, justly, responsibly, and legally, second. Serve your client third. Advance the profession fourth. Society outranks the client, and that ordering is the whole game, because it tells you what to do in the exact moment the two collide.
From that hierarchy flows an operating rule I never bent: you do not engage with criminals. You don’t negotiate with them, you don’t pay them, you don’t treat extortion as a line item in an incident budget. Anyone who’s sat in a room with the FBI’s cyber squad has heard that said out loud, and it lands differently in person than it does in a policy PDF.
But a rule you can’t afford to keep is just a wish. The reason we never paid a ransom wasn’t bravery. It was retention policy, executed with discipline, every cycle, kept pristine, so that when the bad day came we restored instead of begged. Backups nobody has to negotiate with. None of our customers ever paid a ransomware crew, and not because we got lucky. Because the boring work was already done before the attacker ever showed up.
That’s the line. The same code that forbids me from paying a criminal is the code that forbids me from becoming one. It’s why I can defend a researcher’s autonomy in one breath and still call a weaponized exploit dump that burns real users a violation in the next. Protect society comes first. It comes first for the vendor, it comes first for the researcher, and it came first at three in the morning when a clean backup was the only thing standing between a customer and a ransom note.
The Chilling Effect Is the Real Vulnerability
There’s a legitimacy problem this whole mess exposes, and it’s bigger than Microsoft.
How do you tell a security researcher apart from an attacker? They use the same tools. They run the same scans. They write the same exploit code. The only durable difference is intent, authorization, and whether you’re bound by a code. None of that shows up in a packet capture. For twenty years the industry’s answer was a fragile social contract: we’ll assume good faith if you disclose in good faith. The Nightmare Eclipse mess is what happens when one side decides the contract is optional.
The interesting part is that the answer is starting to get built in formal lanes. I went through Anthropic’s Cyber Verification Program, the vetting process that lets approved researchers use frontier models for offensive security work that’s blocked by default for everyone else. I don’t mention it for the badge. I mention it because of what it represents: an AI lab sat down and built a mechanism to formally distinguish a legitimate researcher from a bad actor, vet them, and then get out of their way. That’s the right direction. That’s the profession being granted the autonomy it needs to function.
Microsoft just spent a week walking the other way. Delete the accounts. Invoke the crimes unit. Reframe a labor dispute and a bounty fight as a criminal matter. Every researcher watching learns the same lesson, and it is not the lesson Microsoft thinks it’s teaching. The takeaway isn’t “disclose responsibly.” It’s “Microsoft is not safe to talk to.” So the next person who finds a BitLocker bypass doesn’t open an MSRC ticket. They sit on it, or they sell it, or they post it to spite a company that taught them honesty gets punished. The chilling effect doesn’t make Microsoft safer. It makes Microsoft blind, and blindness in a company whose software runs the world is not a PR problem. It’s a public safety problem.
I want to be fair to Microsoft here, because fairness is in the code too. The security stack the company ships today is genuinely good. Patch Tuesday, a real Security Response Center, Defender, a serious bounty program, an actual vulnerability response apparatus where there used to be a void. They built something the 1995 version of themselves could not have imagined, and they earned it. Which is exactly why reaching for the Digital Crimes Unit reads less like strength and more like a company forgetting how it got strong.
So let me be loud about where I stand, because this profession gets caricatured by people who have never done the work. I do not endorse dumping live exploit code that lands on innocent users. An artifact that hurts people isn’t research, it’s collateral, and the code I live by puts society first precisely so that line stays bright. But the answer to one reckless disclosure is not to brand the entire discipline criminal. This line of work is real. It is permanent. It will not be wished out of existence by a legal threat, and pretending otherwise only pushes it underground. What the work asks in return is not complicated: transparency from the vendors about how they actually handle what we bring them. You don’t get to run an opaque process, delete the accounts of the people knocking politely, and then act shocked when the knock becomes a kick. Treating security researchers as masked bandits is not a defense of anyone. It’s a regression to the era I opened this piece in, the one we spent twenty years climbing out of.
Give researchers a sanctioned lane and protection inside it, and most of them will walk it gladly. We are not the adversary. We’re closer to an immune system: the part of the organism that goes looking for the infection before it spreads, and that you really do not want to suppress.
It’s Not Digital Life Anymore
I want to end where the stakes actually are, because it’s easy to read all of this as an industry squabble about disclosure etiquette.
BitLocker doesn’t encrypt files. It protects the laptop a nurse leaves in her car outside a hospital, and the patient records on it. Windows Defender doesn’t block malware in the abstract. It stands between a ransomware crew and the scheduling system of a clinic, the controls of a water plant, the dispatch console of an ambulance service. The line between a software vulnerability and a physical-world consequence got erased somewhere in the last fifteen years, and most people, including most executives, never noticed the line was gone.
We stopped living a separate digital life a long time ago. There is no digital life and physical life to keep apart anymore. There’s just life, running on this stuff, all of it, all the time. And the people who pressure-test that life from the outside, the ones with the handles and the scans and the uncomfortable disclosures, are not the threat to it.
They’re the reason the door isn’t still propped open.