Post

Microsoft Backs Off Legal Threats Against Windows Security Researchers After BitLocker Backlash

Posted
By ictsec.pl
1 min read
Microsoft Backs Off Legal Threats Against Windows Security Researchers After BitLocker Backlash

Microsoft Changes Course on Legal Threats 🚀

Microsoft has announced that it will no longer pursue legal action against security researchers who conduct or publish their findings. This decision comes after a heated exchange with security researcher “Chaotic Eclipse” (also known as Nightmare-Eclipse), who revealed a zero-day exploit named YellowKey. This exploit allowed access to BitLocker-protected drives on Windows 11 using a simple USB key. Nightmare accused Microsoft of intentionally leaving a backdoor in this security feature.

The tech giant acknowledged the vulnerability in Windows and is tracking the YellowKey exploit under CVE-2026-45585, sharing mitigation measures with the community. However, Microsoft pointed out that the vulnerabilities were not communicated to them in advance, as per their Coordinated Vulnerability Disclosure (CVD) policy. They expressed concern that publishing unpatched bugs along with exploit code could jeopardize customer security, which led to their initial legal threats.

Nightmare claimed that Microsoft had banned their GitHub account and deleted their Microsoft account used for reporting bugs, stating, “[they were] told personally by [Microsoft] that they will ruin my life and they did.” In response, a Microsoft spokesperson refuted these claims, stating, “Microsoft does not remove MSRC researcher portal accounts, which is where anyone can submit a vulnerability to the company.”

BugCrowd founder Casey John Ellis described Microsoft’s decision to pursue legal action as “an insanely myopic move,” especially given their efforts to present a secure and research-friendly image. Andrew Case, director of threat research at Volexity, echoed this sentiment, noting that Microsoft has undermined the goodwill it built over the last decade.

Following community backlash, Microsoft clarified on June 1, 2026, that they have no intention of pursuing action against individuals conducting or publishing their security research. They emphasized that legal action would only be considered when individuals engage in malicious activities that harm customers.

For more details, check out the full article: Read full article

TECHNOLOGY
MICROSOFT SECURITY RESEARCH BITLOCKER VULNERABILITY
This post is licensed under CC BY 4.0 by the author.