Finding bugs in Microsoft products used to come with a clear social contract. You find it, you report it privately, you wait for a fix, then you publish. Microsoft gets to patch quietly. You get credit and maybe a bug bounty. Nowadays that contract seem to get complicated. A researcher going by Nightmare Eclipse published a series of unpatched vulnerabilities in Microsoft products including Windows Defender and BitLocker, along with working exploit code, without giving Microsoft a chance to fix them first. Microsoft responded with a blog post threatening criminal referrals and invoking its Digital Crimes Unit. The cybersecurity community, the same community Microsoft depends on to find these bugs before actual criminals do, reacted about as well as you'd expect.