Hi everyone,
This week on Shared Security, we’re talking about a messy but important security-community debate: Microsoft’s response to a researcher who publicly disclosed proof-of-concept exploit code for zero-day vulnerabilities.
The researcher, posting under the name Nightmare Eclipse, appears to have been in a dispute with Microsoft. Microsoft responded with warnings about possible criminal legal action and restricted access to accounts tied to GitHub, GitLab, and the Microsoft Security Response Center. That is where this story becomes bigger than one person or one vendor.
Responsible disclosure depends on trust. Researchers need a safe, clear way to report vulnerabilities. Vendors need time to validate and patch issues. Customers need fixes before exploit details spread widely. When any part of that chain breaks, everyone gets exposed to more risk.
In this episode, Scott and I revisit the history of full disclosure, why bug bounty programs changed security research, and why legal threats can create a chilling effect. We also talk about the flip side: researchers still need to weigh the risks of public exploit releases, especially when customers may be harmed before patches are available.
Links from the episode
SecurityWeek: Microsoft Tries to Calm Legal Threat Fears After Zero-Day Disclosure Backlash: https://www.securityweek.com/microsoft-tries-to-calm-legal-threat-fears-after-zero-day-disclosure-backlash/
Kevin Beaumont / DoublePulsar: Microsoft’s stance on zero day exploits is a dumpster fire of their own making
Quote From This Week’s Episode
“Vendors need researchers, researchers need clear rules, and customers need fixes before exploits spread.”
— Tom Eston
Tom’s Take
My take: legal threats should be the absolute last resort in vulnerability disclosure disputes. Yes, researchers can act recklessly, and public exploit releases can put people at risk. But if researchers start believing that reporting or discussing vulnerabilities could get their accounts disabled or bring criminal threats, many of them will stop reporting. That does not make customers safer! It just makes the vulnerability economy darker.
Also worth your attention this week
EFF: communities fighting Flock/mass surveillance tech — Local surveillance tools like automated license plate readers affect ordinary drivers, not just suspects. The encouraging angle is that communities are learning how to push back and demand transparency before these systems become invisible infrastructure. Source: https://www.eff.org/deeplinks/2026/06/get-flock-out-here
404 Media: AI agents do not care about safety or reliability — Researchers from Nvidia and Microsoft are warning that agentic AI can optimize for completing tasks without sharing human assumptions about safety or reliability. That matters for companies rushing to let agents touch real workflows and production systems. Source: https://www.404media.co/nvidia-and-microsoft-researchers-say-ai-agents-dont-care-about-safety-or-reliability/
Android call verification to fight impersonation scams — Google is adding a feature meant to detect scammers posing as contacts, a practical consumer-security response as voice cloning and spoofing scams get more believable. Sources: https://www.helpnetsecurity.com/2026/06/03/android-fake-call-detection-feature/ and https://www.wired.com/story/android-is-fighting-phone-scams-with-a-new-feature-to-prove-whos-calling/
Listen / Watch
🎧 Audio Podcast: https://sharedsecurity.net/2026/06/08/microsoft-threatens-legal-action-over-exploit-disclosure/
▶️ YouTube: https://youtu.be/mPnxm3t1yXQ
We’d Love Your Feedback
What do you think: should vendors ever threaten legal action over public proof-of-concept exploit code? Reply to this email, leave a comment on YouTube, or send us your thoughts for a future episode.
Thank you to our Sponsors!
Special thanks to Guardsquare for sponsoring this episode! Guardsquare is the leader in mobile application security, with multi-layered protection for your Android and iOS apps. Learn more at Guardsquare.com.
🎁 Get 10% off your order of high quality faraday products built to protect your privacy from SLNT! Visit: https://slnt.com and use discount code "sharedsecurity" at checkout.
Closing
If you found this newsletter useful, please subscribe to Shared Security, leave a rating or review in your podcast app, and share the episode with someone who works in cybersecurity or software development. You can also support the show through YouTube channel membership, and follow us on Bluesky.
Until next time — stay safe, stay secure, and stay private.
Tom Eston
Founder and Host, Shared Security Podcast
