Criminal Justice & the Rule of Law Cybersecurity & Tech

Accusation, Trust, and the Future of Vulnerability Disclosure

Cory Simpson
Monday, July 6, 2026, 10:27 AM
Microsoft’s dispute with Nightmare Eclipse reveals what’s at stake when companies conflate disclosure with criminality.
A Microsoft building in Atlanta (Tyler Lahti, https://tinyurl.com/mh8mtvn8, CC BY 4.0, https://creativecommons.org/licenses/by/4.0/)

In May, an independent security researcher known as Nightmare Eclipse published a series of unpatched Windows vulnerabilities after what the researcher described as a failed disclosure process with Microsoft. The researcher said the vulnerabilities, along with proof-of-concept exploit code, had been reported to the company before publication. Microsoft said the disclosure occurred outside proper coordination, accused the researcher of enabling criminal activity, invoked its Digital Crimes Unit, and pointed toward potential law enforcement action.

Microsoft blurred a line it knows well: the line between protecting billions of users from malicious actors and implying that security researchers may be treated as criminals for good-faith research. The security community heard the message that way and responded forcefully, with researchers publicly describing their own frustrations working with Microsoft’s disclosure process.

Microsoft later clarified that it has no intention of pursuing action against individuals conducting or publishing security research, while reserving the right to work with law enforcement when someone breaks the law and harms customers. That clarification drew the line where Microsoft should have drawn it from the start.

The episode raises a broader question for cybersecurity governance: What happens when a company with state-like reach invokes the language of criminal enforcement in a system that depends on voluntary reporting and trust? 

Coordinated vulnerability disclosure (CVD) is the process by which researchers report vulnerabilities to vendors so that the vendors can assess risk, develop patches, and protect users before adversaries exploit the flaw. The process depends on trust and clear communication. Researchers surface findings to support remediation. Vendors assess risk, communicate with researchers, and move quickly to protect customers. The mission is to surface weaknesses while vendors still have time to act.   

CVD depends on a clear line between the disclosure process and the criminal justice system. Criminal conduct belongs in lawful channels grounded in facts, authorization, intent, and harm. The CVD process should remain focused on validation, remediation, communication, and user protection. When criminal law language enters the disclosure conversation, it distorts the relationship the process depends on and weakens the trust that makes coordinated disclosure work. 

Legal uncertainty weakens coordinated disclosure by shifting the researcher’s question from “How do I help fix this?” to “What could this cost me?” Researchers begin weighing personal exposure against technical risk, and vendors lose credibility with the very community they depend on. A National Telecommunications and Information Administration (NTIA) survey found that 60 percent of researchers cited the threat of legal action as a reason they might decline to work with a vendor on disclosure. The same report found that researchers overwhelmingly use coordinated disclosure, and that when they choose another path, communication has usually broken down first. Legal certainty and communication are the foundation of coordinated disclosure. 

CVD is not whistleblowing, but the two systems share a basic design principle: People are more likely to surface risk when they trust the channel and believe they can use it safely. That design principle dates back to the earliest years of the republic. In 1778, the Continental Congress protected sailors and marines who reported misconduct by the commander of the Continental Navy and later faced a criminal libel suit. The lesson still applies. Systems that depend on disclosure must protect those willing to come forward. Researchers who fear legal exposure may stay silent, delay reporting, or disclose outside the vendor process. 

The Nightmare Eclipse dispute shows how quickly trust and communication can break down. The researcher alleges that Microsoft deleted the Microsoft Security Response Center account used to report bugs, closing the coordinated disclosure channel before exploit code went public. Once that channel closes, researchers have fewer good options and vendors lose control of the timeline.

The pattern extends beyond Microsoft. In 2020, Voatz, a mobile voting app used in several U.S. elections, clashed with MIT researchers who identified flaws in the company’s software. Voatz denied the findings, removed legal protections for independent researchers, and, according to some involved, reported one of the researchers to the FBI. Security and election experts expressed alarm, and HackerOne, a platform that connects organizations with security researchers to find and fix vulnerabilities, removed Voatz from its platform.

There are better models. Many companies run bug bounty or CVD programs to encourage external researchers to find and report vulnerabilities through trusted channels. Some have also invested in clearer submission processes, stronger researcher communication, and meaningful rewards. Apple, for example, recently expanded its security bounty program with increased rewards—including some of the highest in the industry—and an improved reporting process. The example shows that vendors can choose a posture that treats researchers as contributors to security rather than sources of embarrassment or risk. 

The NTIA data reinforces the value of that posture. Among surveyed researchers, 92 percent reported engaging in some form of coordinated disclosure. Most did not expect monetary reward for disclosure. They expected communication: 70 percent expected regular updates during the process, and researchers who pursued public disclosure instead of CVD often did so because communication with the vendor had already broken down. Companies that treat researchers as collaborators create conditions that encourage future reporting. Companies that treat them as adversaries create incentives for delay, silence, or public disclosure.

The rise of artificial intelligence (AI)-powered vulnerability discovery makes this more urgent. These systems accelerate vulnerability discovery and reshape the bug bounty ecosystem. They help researchers identify flaws faster, generate proof-of-concept code more quickly, and compress the time defenders have to validate, patch, and communicate risk. That speed raises the cost of mistrust. When a responsible researcher hesitates after finding a vulnerability—consulting counsel, weighing personal risk, or questioning whether a vendor will respond fairly—defenders lose time they cannot afford. Malicious actors keep moving. 

References to a Digital Crimes Unit, law enforcement, or potential legal action can harden positions, chill reporting, and convert disclosure friction into a question of personal exposure. Publishing uncomfortable findings is not malicious conduct. The security ecosystem depends on good-faith research reaching vendors before adversaries can weaponize it. AI-powered vulnerability discovery requires trusted disclosure channels, faster communication, and disciplined CVD.

Microsoft sets norms across the digital ecosystem. When it conflates disclosure with criminality, it creates a permission structure others will follow. That risk grows as AI increases the volume of vulnerability discovery and accelerates exploitation. Malicious actors will use AI to identify attack paths into systems, scale operations, and lower the cost of technical capability.  Responsible researchers will use the same tools to find weaknesses earlier and help defenders move faster. More discovery means more reports, more disputes, and harder calls about intent and authorization. The answer is stronger disclosure channels, better communication, and disciplined triage—not the threat of criminal enforcement. 

Those difficult calls require technical judgment, institutional restraint, and disciplined language from powerful institutions.

No one has held a more informed perspective on wielding institutional power than Justice Robert Jackson—the only person in U.S. history to have served as solicitor general, attorney general, and Supreme Court Justice, and who later took leave from the Court to serve as chief U.S. prosecutor at the Nuremberg trials. Across those roles, Jackson understood accusation from the vantage point of advocate, prosecutor, and judge. At Nuremberg, he used it as a vehicle for lawful accountability for crimes that shook the global order. In a famous speech as attorney general, he warned that accusation itself can injure and is a source of tremendous power to be used with caution. At Nuremberg, he showed what lawful accusation requires: evidence, reason, process, restraint, and a clear line between wrongful conduct and criminal acts.

That warning speaks directly to this moment in cybersecurity. Coordinated disclosure depends on people coming forward voluntarily with information that others may find uncomfortable, embarrassing, or costly. When a company with state-like reach invokes the language of criminal enforcement within that system, it changes the relationship. It turns trust into exposure. It turns a disclosure channel into a source of personal risk. It signals to researchers that reporting a vulnerability may place their reputation, livelihood, or liberty in jeopardy. In a moment when AI is changing the speed, scale, and dynamics of vulnerability discovery, such signals shape behavior.

Companies with CVD programs should review how they communicate with independent researchers and how they protect good-faith reporting. Criminal accusation should be reserved for conduct grounded in malice, harm, and unlawful access. Criminal law carries unique weight because it is backed by the power to investigate, prosecute, and deprive a person of liberty. Companies should invoke that language with discipline. Clear facts, careful process, and measured language preserve the credibility of CVD programs and encourage the reporting behavior those programs were designed to support. 

Microsoft shapes norms at a scale few organizations can match, and that reach carries responsibility. The company has called for accountability across the digital ecosystem and has said security remains its top priority. It should meet that standard here. AI is compressing the time between vulnerability discovery and exploitation. Every hour lost to fear, hesitation, or mistrust gives adversaries room to move. Trust is a security asset. In coordinated disclosure, it enables researchers to bring risk forward before adversaries turn it into harm. The companies that anchor the digital world must use criminal law language with the discipline it deserves; reserve it for conduct grounded in malice, harm, and unlawful access; and protect the trusted channels that help secure the systems billions of people rely on. 


Cory Simpson is a national security and cybersecurity executive, attorney, and former federal prosecutor with more than two decades of experience across government, elite military organizations, and the private sector. He leads Washington, D.C.-based organizations that bridge policy and technology to advance modernization, strengthen security, and serve the American people.
}

Subscribe to Lawfare