On the twenty seventh of May, Microsoft published a blog post that read less like a security advisory and more like a warning shot. The target was a researcher working under the handle Nightmare Eclipse, who had spent the preceding days dropping a string of unpatched Windows vulnerabilities into the open, complete with working code to exploit them. The names were almost cinematic. BlueHammer. RedSun. UnDefend. YellowKey. The flaws touched the parts of Windows that people are told to trust without thinking, the built in antivirus engine and the disk encryption tool. Three of the six were reportedly already being used in real attacks. And the researcher promised more, a drop he called bone shattering, set for the fourteenth of July.

Microsoft did not answer with a patch timeline or a measured admission that something had gone wrong upstream. It answered in the language of law enforcement. Its Digital Crimes Unit would continue, the post said, to bring cases against the people who attack its customers and those who enable them. The word enable was doing a great deal of quiet work. It was the hinge the whole accusation swung on, because it let the company gesture at criminals and at the researcher in the same breath, as though there were no real distance between the person who builds a weapon and the person who points out that the wall was already cracked.

I want to take that word apart, because it does not survive contact with anything we believe about danger in any other corner of life. And I want to be honest that I had to take my own hand off it first. The frame is built well enough that even people who should know better reach for it without noticing.

What the law actually says

Start with the easy version of the objection, the one I reached for before I thought about it. The researcher broke the rules. You report the flaw to the vendor, you give them time, you wait. Publishing live exploit code for something unpatched is reckless, and reckless ought to be illegal.

It is worth asking whether it is. The answer is no, or at least not cleanly. Publishing information, including code that demonstrates a flaw, has long been treated as a form of expression, and courts have at times recognized code itself as protected speech. Running an exploit against a machine you do not own is a crime. Writing it down and posting it is a legal grey area at worst. When Microsoft invoked its crimes unit, it was not citing a statute the researcher had broken. It was borrowing the authority of one.

So the legal objection collapses, but the moral one is the better argument anyway, because it is where the fight always actually lived. Not illegal, fine. But surely there is a duty here that the law does not name. That is the claim worth chasing, so I will chase it.

Who built the bomb

Picture the builder of your house leaving a bomb in the wall. Not on purpose, but through the ordinary carelessness of people who pour foundations fast and move on. A stranger walks by, notices the wiring, and tells you it is there. Has the stranger harmed you. The harm was poured into the wall the day it was built. The stranger only made it visible. If someone with bad intent reaches the bomb before the builder gets around to removing it, that is a fact about the builder, who left it there and was slow, not about the stranger, who rang the bell.

The strongest objection to the image is that it strains when the stranger does not merely point at the wall. This stranger published the wiring diagram, handed out copies, and announced he would plant a fresh demonstration on a date of his choosing. At that point, the objection runs, he is no longer warning. He is arming. I made that objection to myself, and it is wrong in a specific and revealing way.

The researcher detonated nothing. He pressed no button. Announcing a date for further disclosure is announcing more disclosure, not triggering an attack. The agency for any actual harm belongs entirely to whoever takes the published code and aims it at a victim, and that person is a separate human being making a separate choice. To fold the two together, to say the one who described the flaw and the one who exploited it are morally the same, is exactly the move Microsoft made with the word enable. I had reached for it without noticing. Most people do. The frame is so well constructed that intelligent, decent people pick it up believing it is their own idea.

Why the code, and not just the warning

That leaves the real question. Why publish the working exploit at all. Why not describe the flaw in the abstract and leave the weapon unbuilt. The history of this field supplies the answer. The abstract description gets waved away. The documented vendor reflex, repeated across decades, is to receive a quiet report and reply that the flaw is not exploitable, not severe, not worth the engineering cost of a fix. A described vulnerability is a claim the vendor can deny. A working proof of concept is a claim the vendor cannot deny. The code is not gratuitous arming. It is the artifact that forecloses dismissal. It exists because the polite version does not work on a party that would rather not pay.

So the proof of concept is not an escalation. It is a response. In a world where vendors triaged honestly, the bare warning might be enough. In the world that exists, where the pattern is denial until something undeniable lands, the demonstration is the minimum force required to make the truth stick. I will not pretend the worry vanishes entirely, because there remains a real difference between a flaw nobody is using and one already in the wild, and full code against an unpatched target does widen the pool of people who can act before a fix exists. That cost is real and it sits in the tradeoff. But it is a question about whether the cost was worth it, which is a different question from whether the researcher victimized anyone. He did not. The proof of concept was not proof of malice. It was proof the flaw was real.

The two things we already believe

Here is where the whole argument turns, and it turns on a contradiction I did not have to invent, because society wrote it down twice already.

We’ve trained a few generations to do nothing but say something and we’re surprised when they do.

The first is a duty. We have built an entire civic liturgy around the idea that an ordinary person who notices hidden danger is obligated to surface it. See something, say something. It is painted on transit walls and recited in airports. The whole moral logic of that slogan is that the person who spots the unattended danger is not its maker and carries no part of its fault. The spotter is the good citizen. We thank him. We would be ashamed of him if he stayed silent. Map it onto disclosure and the researcher is the man on the platform who saw the bag and spoke. In every other corner of life we made him a hero. Here the builder calls him reckless for the speaking.

The second is sharper, because it is not about virtue but about money, and money is harder to argue with. We do not merely permit people to surface hidden danger. We pay them to. Reward for information leading to. The phrase is older than any of us and it is attached to exactly this act, bringing into the open something a powerful or dangerous party would have preferred to keep buried. We staple a dollar figure to it. And the structure of that reward is identical, line for line, to a bug bounty. The vendor itself pays for disclosure, eagerly, so long as the disclosure flows through the channel the vendor controls. Route the very same information around that channel and the identical act becomes a thing worth threatening prison over.

Sit with that, because it is the moment the floor moves. The money proves the principle is fine. Disclosure is not the problem. Surfacing the flaw is not the problem. We reward it everywhere, including inside the vendor’s own program, with the vendor’s own cash. The only variable that changed across all of these cases, the slogan on the wall, the reward poster, the bounty, and the criminal threat, is who controlled the disclosure. That is the whole of it. The objection was never to the telling. It was to the loss of the gate.

What the myth is actually for

Once you see that, the rest arranges itself. The belief that the discloser shares the blame for the attack is not a stray error reasonable people happen to make. It is a structure, built and maintained, and it survives because it does work for someone. It tracks not harm but liability. It activates exactly where an honest accounting would put the cost on a party with the resources to lobby, to litigate, and to publish a blog post in the language of a prosecutor.

The economics here are not new. ENISA and others named the liability problem years ago.

This is the signature of a myth that serves power. The cost of the underlying defect is diffuse, smeared thinly across every user who will never know which flaw nearly caught them. The benefit of the frame is concentrated, gathered up by the one party who would otherwise eat the engineering bill and the embarrassment. Diffuse cost, concentrated benefit. Power does not manufacture beliefs in the places where the plain truth already favors it. It builds them precisely where the truth cuts the other way. The phrase responsible disclosure, the one a generation of practitioners fought to retire in favor of coordinated disclosure, was that construction in miniature. The word responsible was quietly relocating the fault, carrying it off the builder of the bomb and setting it down on the person who found it.

It holds because most people watching do not see the power running underneath. The inversion reads as common sense rather than as the load bearing fiction it is. He published the code, of course he shares the blame, feels like an intuition. It is not. It was installed. The tell is the one already on the wall and the reward poster, that we apply the opposite rule nowhere else, that the same act we pay strangers to perform becomes a crime the moment it escapes the owner’s control.

Why this is happening now

There is a reason this old fight has caught fire again, and it is not that researchers grew crueler. The ground under coordinated disclosure has shifted. The arrangement always rested on a quiet assumption, that a comfortable gap exists between the moment a flaw is found and the moment it is exploited, a gap wide enough to patch in. That gap is closing from both ends. The tools that let a researcher find a flaw faster let an attacker find it faster too, and they let the vendor find and triage its own flaws faster as well. The clock coordinated disclosure was built around now looks slow from every direction.

The deeper break is in where the builders pointed those tools. The same capability that could be aimed inward, at the decades of accumulated debt that produced these flaws in the first place, was instead aimed at shipping features, and the productivity story it generated was used to justify thinning the very engineering ranks that would have done the repair. So discovery accelerates while the capacity to remediate gets deliberately thinner. The gap disclosure depends on widens, and it widens because of the vendor’s own choices about where to spend. The incentive problem is not merely that a profit seeking company is reluctant to pay for quality. It is that the company held a tool capable of paying down the debt and spent it on the thing that shows up in the next quarter. That is not a hacker problem. It is a latent quality problem wearing a hacker’s mask, and the criminal threat against the researcher is the mask being held in place.

The wrong argument

I have not resolved this, and I will not pretend to, because the thing itself is not resolved. The unease about live code loose in the world is real, and I still feel some of it. What I am sure of is narrower and more durable than a verdict on this one case. The argument I was handed at the start, the one about whether the discloser shares the blame, is the wrong argument. It is the argument the frame wants everyone to have, because every hour spent litigating the spotter’s guilt is an hour not spent asking why the builder shipped the bomb and then went after the person who found it.

I noticed, writing this, that I spent the first stretch of my own thinking relitigating the discloser’s culpability before I caught myself doing it. That noticing is the whole point. The frame is strong enough that you reach for it without consent, and the only defense is to feel your own hand move and stop it. So I will leave the rest where it actually hangs. The deadline in July still stands. The flaws are still out there. The builder is still threatening the spotter. And the question worth asking is not whether the man on the platform should have stayed quiet. It is why, in this one corner of the world and nowhere else, we decided the person who says something is the one to blame.