Open the license agreement for Microsoft Defender and read down to the disclaimer. In capital letters you’ll read that the software is licensed “as is,” and you bear the risk of using it. A few lines down, a second all-caps block caps the company’s liability at roughly what you paid, which, for a tool bundled into Windows, is effectively nothing. That’s the deal. Microsoft builds the thing you rely on to keep attackers out, disclaims responsibility for whether it works, and leaves you with the damages should a breach occur.

Now consider what Microsoft has done to the researcher who exposed those flaws.

A pseudonymous researcher who goes by Nightmare Eclipse says Microsoft locked them out of its own reporting portal, paid nothing for the bugs they submitted, and ignored the findings. So they retaliated. Between early April and mid-May, Nightmare Eclipse dumped working exploit code for six unpatched zero-days affecting Defender, BitLocker, and core Windows components onto GitHub and GitLab, skipping coordinated disclosure entirely. At least three were turned on real victims within days, before Microsoft could respond. Instead of a patch, Microsoft answered with a referral to its Digital Crimes Unit and a threat of criminal prosecution.

In short, Microsoft tells you Defender is “as is” and the risk is yours. Then it reaches for criminal process against the researcher who found the specific risk you were told to carry. The company will not stand behind the product, and, at its worst, it turns on the people who prove where the product fails. The risk flows one direction. The liability flows the same direction. Neither flows back to Microsoft.

None of that excuses what Nightmare Eclipse did. Publishing live exploit code for unpatched flaws is reckless. It put ordinary users in the line of fire, and that is on Nightmare Eclipse. But it is a separate wrong, not a defense. Microsoft’s liability does not turn on whether the person who exposed the flaw behaved well. The disclaimer covers the product no matter how its failures come to light. “As is” means as is.

This would be easier to wave off as a licensing quarrel if the company had earned any benefit of the doubt. It hasn’t. Russian intelligence moved through Microsoft infrastructure into the U.S. Departments of Justice, Homeland Security, and Treasury in the SolarWinds operation, using a token-forgery technique Microsoft had understood since 2017 and disclosed to no one. Chinese state hackers rode four Exchange Server zero-days into more than 30,000 organizations in 2021. In the summer of 2023, the Chinese group Microsoft tracks as Storm-0558 read the email of the Commerce Secretary and the U.S. Ambassador to China in the days before a sensitive trip to Beijing, using a signing key Microsoft had stopped rotating and could not afterward account for. Then the same Russian group from SolarWinds walked back in through a test account with no multifactor authentication and reached Microsoft’s source code. Four catastrophic intrusions in six years. Not one required sophisticated tradecraft. Each turned on a basic control Microsoft failed to maintain — the kind of control Defender is sold to provide.

The Cyber Safety Review Board reviewed the 2023 intrusion and called it preventable, the product of a security culture it said required an overhaul. Nightmare Eclipse is not the first to make that complaint. The late Amit Yoran, then Tenable’s chief executive, accused Microsoft in 2023 of leaving customers deliberately in the dark about an unpatched Azure flaw, and in October 2024 Trend Micro’s Zero Day Initiative criticized Microsoft for quietly patching an actively exploited Windows flaw without crediting anyone and rating it only “moderate.” Check Point and others have described the same handling: silent fixes, withheld acknowledgment, disputes over severity.

What is unusual in the Nightmare Eclipse case is not the grievance but Microsoft’s answer to it. A criminal referral is not how the company normally treats researchers, and that is exactly why it shows how far this relationship has broken down. Katie Moussouris, who built Microsoft’s own bug bounty program, called the company’s language toward Nightmare Eclipse inflammatory. When the person who designed your disclosure program says you are threatening researchers, the researcher is not your real problem.

The real problem is that what Microsoft is doing is legal, and it is ordinary. Every software company on earth ships under the same “as is” disclaimer and the same liability cap. I argued in Inside Cyber Warfare that cybersecurity is a market for lemons — the seller knows the product’s defects and the buyer cannot. The license agreement formalizes that asymmetry. You can’t negotiate it; lawyers call a take-it-or-leave-it contract like that a contract of adhesion. If you don’t like the terms, the industry’s answer is simple: don’t use the software. There is no version of that answer for a hospital, a utility, or a federal agency running Windows.

No other industry that builds critical infrastructure is permitted to operate this way, and none of them surrendered the arrangement on its own.

Accountability is never volunteered. It is, historically, forced. To wit —

The railroads let brakemen lose their hands to the link-and-pin coupler until Congress mandated the automatic coupler in 1893.

The ammonium nitrate that leveled Texas City in 1947 (roughly six hundred dead, and still the deadliest industrial accident in American history) produced the principle Justice Robert Jackson set down in dissent: the public cannot be expected to possess the facilities or the technical knowledge to learn for itself of inherent but latent dangers. That sentence describes the software EULA exactly.

Detroit fought seat belts until the Motor Vehicle Safety Act of 1966, fifty-eight years after the Model T.

The first mass-market personal computer shipped in 1976. Half a century later, software liability still does not exist. Why? There hasn’t been enough public outrage to overcome the tech industry’s multibillion-dollar lobbying efforts to keep its unregulated status.

The 2023 National Cybersecurity Strategy calls for shifting liability onto software makers, who to this day carry none — short of gross negligence. Chris Inglis, who oversaw that strategy as National Cyber Director, made the same argument I did when he said “voluntary hasn’t worked in 25 years.” The model already exists in miniature — New Jersey writes liability into its cloud and software contracts, so a vendor whose flaw causes a state data breach pays multiples of its annual fees plus the full cost of the cleanup. The large vendors swallow those terms to win the contract. The small ones can’t, which is precisely why the floor has to be law rather than negotiation.

Nightmare Eclipse has promised Microsoft that their next drop on July 14 will be “bone-shattering.” The last batch was weaponized within days; there is no reason to expect this one won’t be. A single shut-out researcher may do to Microsoft’s customers what four nation-state services could not, and the wreckage may at last be ugly enough to drag liability into law.

The casualties of a mass zero-day release are never Microsoft’s executives. They are the hospitals, the agencies, and the ordinary users holding the risk Microsoft assigned them in the disclaimer. The logic of every precedent is that we keep waiting for the bodies before we act, and the bodies are always other people’s. We do not have to run this one to the end. The contradiction is already on the page: “as is,” you bear the risk, and a criminal referral for the person who proved it. Congress can take its cue from history and write liability into law now, or it can wait, as it always has, and let the next disaster, perhaps as soon as July 14, make the argument for it.

Infographic