I’ve reported bugs to Microsoft for free.

I've reported bugs to Microsoft for free. I know exactly why someone just dropped six Windows zero-days out of spite.

Here's the line that's been stuck in my head all week. A researcher, goes by Nightmare Eclipse, said this to Microsoft: You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so.

Zero pennies. I felt that one in my teeth.

If you missed it, the short version: between early April and mid-May, this person published working exploit code for six Windows vulnerabilities. Not vague write ups. Weaponized proof-of-concept, the kind you can basically copy-paste. Some of these let you escalate to SYSTEM.

At least one bypassed BitLocker, which is the thing your whole company is trusting to keep the data on a stolen laptop unreadable.

No heads-up to Microsoft on any of them. Just dropped, one after another, for about six weeks.

And then on May 28 Microsoft put out a blog post calling the disclosures never justifiable and saying its Digital Crimes Unit would go after anyone enabling criminal activity with exploit code. GitHub nuked the account. A couple days later GitLab did too.

So the researcher's now got the platforms and the Digital Crimes Unit pointed at them.

I should be on Microsoft's side here. I run Windows boxes. I do not want SYSTEM exploits floating around free for every ransomware crew on earth. Dropping live zero-days with no patch available is genuinely reckless and real people get hurt by it.

And yet. I read that blog post and my gut went the other way, and I don't think I'm alone.

the people who literally invented this process are not backing Microsoft

This is the part that should make Redmond sweat.

Katie Moussouris built the bug bounty program at Microsoft. She's the person who pushed coordinated disclosure into being a thing companies actually do.

The exact framework Microsoft is now waving around to say "you did this wrong"? She had a hand in it. And she went on Bluesky and tore the blog post apart.

Kevin Beaumont, who used to be a security engineer at Microsoft, called it a dumpster fire of their own making. His point, and it's a good one, is that Microsoft once hired SandboxEscaper.

She dropped Windows zero-day exploit code publicly, no warning, multiple times back in 2018–2019. Same behavior they're now calling criminal. They gave her a job.

So the message a researcher hears is: do this and we might prosecute you, or do this and we might hire you, depends on the year and the mood. Pick a lane.

When the founders of responsible disclosure look at your responsible disclosure lecture and say nah, you've lost the plot somewhere.

I know the feeling that gets you here, even if I'd never do the thing

Let me tell you why "zero pennies" hit me so hard.

A few years back I found a thing. Won't say where, it was a vendor's auth flow, and it was bad, the kind of bad where you stop and go wait, surely not and then test it again and yeah, surely yes. I did the right thing. Wrote it up clean, repro steps, impact, the works. Filed it through their proper channel.

Six weeks of nothing. Then a canned we've determined this does not meet the bar for a reward and a request that I not disclose. No CVE credit at first either, I had to fight for that.

The fix shipped quietly months later with no mention. I spent maybe fifteen hours on that report, unpaid, being a good citizen, and the entire reward was the privilege of being told to keep quiet about it.

I didn't go drop zero-days. Obviously. But did I feel a little flicker of why did I bother? Yeah. Of course I did. Anyone who's filed a serious bug and gotten the silent treatment knows that flicker.

Now stretch that flicker over a person who got their actual reporting account deleted.

Who watched the door close. The thing Microsoft is treating as inexplicable villainy is just that flicker, left to rot for a couple years until it turned into a grudge.

People don't weaponize six exploits because they woke up evil. They do it because every nicer option got taken away from them one at a time.

the economics are the whole story and nobody wants to say it out loud

Bug bounty math is genuinely broken for the reporter.

You find a real Windows privilege-escalation bug. Through official channels, best case, you maybe get a few thousand dollars, often less, frequently nothing because it "doesn't meet the bar," and you wait months.

That same exploit on a gray market, sold to a broker who sells it onward to a government? Could be six figures. For one bug.

So the legitimate path pays you a tiny fraction of the illegitimate one, and it's slower, and it comes with a "please don't talk about it" attached.

The only thing holding the whole coordinated-disclosure system together is goodwill. Researchers eat the bad economics because they want to do right and they want the credit and they want a working relationship with the vendor.

Delete their account. Threaten them with your crimes unit. Tell them in public they're never justifiable. You're not strengthening the system. You're burning down the one thing keeping good researchers on the legal path, which is the feeling that the legal path respects them.

Microsoft ships AI in everything now and somehow the most human, most relationship-dependent part of their security stack is the one they decided to bulldoze on a Thursday.

okay but I'm not letting the researcher off either

I keep wanting to make this a clean hero story and it isn't.

Dropping working SYSTEM exploits and a BitLocker bypass with no patch out there is not sticking it to the man. It's handing loaded weapons to people who will absolutely point them at hospitals and small businesses who never wronged anyone.

The grudge is between this researcher and Microsoft. The blast radius is everybody running Windows, which is, you know, most of the planet. That part I can't defend and won't.

So I land in this annoying spot where both things are true at once. The researcher did a harmful, reckless thing. And Microsoft created the exact conditions that produce that exact researcher, then acted shocked. Both. At the same time.

If you want the disclosure-drops-spite pipeline to stop, you don't fix it with a Digital Crimes Unit.

You fix it by paying people promptly, not deleting their accounts, and not reserving the we'll hire you instead of suing you treatment for the ones who happen to be famous.

What I'd actually tell a junior thinking about reporting a bug

Report it. Still report it. Be the good citizen. The world is better when bugs get fixed quietly before the bad guys find them, and most vendors are not Microsoft on its worst week.

But go in clear-eyed. You're doing unpaid labor for a trillion-dollar company that may ghost you, lowball you, and ask you to stay quiet about your own work.

Get your repro steps and your timeline in writing. Know what their public-disclosure policy actually is before you start, because you might need it. And if a company ever makes you feel like a criminal for handing them a gift, remember that the woman who invented their bounty program is on the internet right now telling them they're wrong.

I don't know how the Nightmare Eclipse thing ends. Probably with lawyers, knowing Microsoft.

But the next person sitting on a serious Windows bug, deciding whether to file it through the proper channel or just not bother, read this whole story too. That's the part Redmond should actually be scared of.

Anyway. I've got a vuln writeup half-finished in another tab. Still gonna file it the right way. Just gonna screenshot everything first.