Cris Thomas (L0pht Veteran, Architect Of Responsible Disclosure) Is Calling Microsoft's MSRC Posture An Abuse Of The Framework His Community Built. Free Cookies For Collaborators.

Yesterday we wrote a commentary on the Microsoft Security Response Center blog from May 27 that complained about uncoordinated zero-day disclosures and threatened Digital Crimes Unit pursuit of researchers and "those that enable their criminal activity." We landed inside the blast radius of that framing on purpose, because the alternative was letting a platform-vendor blog chill independent threat-intelligence reporting. The post was directionally right and underweighted on one critical dimension: the institutional-memory dimension. The L0pht-era veterans who literally defined the responsible-disclosure framework that Microsoft's blog appeals to as moral principle have started weighing in publicly, and their voices are the structurally-correct anchor for reading the story. Cris Thomas — known across the infosec community for thirty years as Space Rogue — posted on Mastodon over the weekend with the framing that the rest of this analysis is going to honor as the load-bearing one.

This post is the follow-up the moment requires. It is longer than yesterday's because the backstory is load-bearing and the historical context is not common knowledge outside the deep-time infosec community. Readers without that context will find the present-day Microsoft-versus-Nightmare-Eclipse dispute hard to evaluate honestly, because the dispute is the latest instance of a structural pattern the infosec community has been documenting and arguing about since the early 1990s. The pattern matters more than the personalities. The veterans who shaped the pattern are the right authorities to read it now.

Who Cris Thomas is, and why his voice on this carries weight

Cris Thomas operates under the handle Space Rogue and has been continuously active in the infosec community since the VAX-era pre-internet bulletin-board scene of the late 1980s. He is one of the seven founding members of L0pht Heavy Industries, the Boston-area hacker collective that operated from a converted loft in the South End from approximately 1992 through 2000. L0pht was the deep-time infrastructure of modern vulnerability research. The members — Mudge (Peiter Zatko, later DARPA program manager and Twitter security chief), Weld Pond (Chris Wysopal, later co-founder of Veracode), Kingpin (Joe Grand, hardware security legend), Dildog (Christien Rioux), John Tan, Brian Oblivion, and Space Rogue himself — were the people who wrote the foundational vulnerability research that the entire modern security industry now treats as orthodoxy.

On May 19, 1998, all seven L0pht members testified before the U.S. Senate Committee on Governmental Affairs. The headline of the testimony, widely quoted ever since: they could take down the entire internet in thirty minutes. The testimony was instrumental in raising government and corporate awareness of cybersecurity as a discipline that mattered. The testimony also embedded a generation of hacker-community values into the official-Washington vocabulary: independent research as a public good, vulnerability disclosure as a process that requires good-faith participation from vendors, the principle that withholding security information from the public served no one well over the long run.

After the L0pht era, the collective merged with @stake, a commercial security consultancy that was later acquired by Symantec. The L0pht alumni dispersed into roles that have anchored independent security research for the subsequent twenty-five years. Mudge ran the Cyber Fast Track program at DARPA. Wysopal co-founded Veracode, the application-security testing vendor that LAPSUS$ has now stolen source code from (we wrote about that yesterday in a separate post on the security-vendor industry as the soft surface). Joe Grand built the hardware-hacking community at DEFCON. Cris Thomas eventually joined Tenable Research, where he continues to be active in vulnerability disclosure advocacy today.

The historical detail matters because the modern norms around responsible disclosure exist substantively because L0pht and its contemporaries argued them into existence. The principle that researchers should give vendors a reasonable window to respond before public disclosure, that vendors should provide good-faith communication and patch commitment in return, that the implicit threat of full disclosure was the mechanism that gave vendors the right incentives — all of this is a body of community-developed norms that took thirty years of debate, conferences, manifestos, and operational experience to codify. The norms did not come from vendors. They came from the researcher community. L0pht was the institutional center of that argument in the 1990s. Space Rogue was one of the seven people who carried the argument to Congress.

When Cris Thomas reads Microsoft's MSRC May 27 blog and says the framework is being misused, that is not the take of a random Mastodon poster. That is the architect of the framework reporting on its current condition.

What Cris Thomas actually said

Space Rogue posted on Mastodon over the weekend, responding to the broader conversation about Microsoft's MSRC posture and the Nightmare Eclipse disclosure. The post is worth quoting at length because the framing is the news. Krebs picked it up and reposted, which is how this kind of institutional-memory voice surfaces in 2026 — not through the security trade press, but through veterans like Krebs amplifying veterans like Space Rogue on the post-Twitter social platforms where the real conversation happens now.

The full post, as Cris Thomas published it:

That is the full text. Read it twice. The argument is structurally complete. The history is the spine. The leverage analysis is the load-bearing economic claim. The "you don't get both" closing line is the moral argument the architect of the framework is making against the vendor he helped train how to participate in the framework.

The Nightmare Eclipse backstory caveat

We have to be honest about one nuance the post-yesterday reporting has surfaced. Brian Krebs published a follow-up note on Mastodon that adds context: the researcher operating under the Nightmare Eclipse handle appears to have been a full-time Microsoft employee from approximately 2022 through 2025. That changes the personal-defense dimension of the story materially. We are not in possession of all the relevant facts about what happened between Microsoft and Eclipse internally before the public dispute. The publicly-disclosed conduct on both sides — Microsoft's MSRC account revocation, Eclipse's full-disclosure dump, the legal posturing from Microsoft's Digital Crimes Unit — sits on top of an employment-relationship dispute backstory that we cannot evaluate fairly without information we do not have.

Kevin Beaumont's original DoublePulsar piece flagged this dimension carefully: "Do I support what Nightmare Eclipse is doing with this one? Not really, it feels weird at times, almost like they think they're entitled to payment — their blog is also awfully specific about certain Microsoft colleagues. There's presumably more going on behind the scenes than is known." Beaumont got it right early. We underweighted his caveat in yesterday's post. The correction is on the record now.

The systemic critique that Cris Thomas is making does not require Nightmare Eclipse to be a sympathetic protagonist. This is the critical distinction. The structural pattern Space Rogue is reporting on — vendors deleting researcher accounts after good-faith disclosure, vendors threatening prosecution after the researcher responds with full disclosure, vendors appealing to responsible-disclosure norms while withholding the operational guarantees those norms require — applies regardless of whether Eclipse personally is right or wrong on every individual question. The framework is being misused. The misuse is the story. The personal dispute backstory is a separate question that will work itself out in whatever forum the parties end up in.

The Microsoft MVP program as structural amplification layer

The second piece worth filling in for readers without the deep-time infosec community context is why the social-media response to the MSRC blog has been so one-sided in some channels and so substantively critical in others. The answer is the Microsoft MVP program, and the answer is structurally important even if you have never heard of the MVP program before.

Microsoft Most Valuable Professional (MVP) is an awards program Microsoft has operated for over twenty years. Approximately 3,500 community members worldwide hold MVP status at any given time. MVPs are not Microsoft employees. They are independent technical practitioners, consultants, authors, and community organizers whose contributions to the Microsoft ecosystem — through blog posts, conference presentations, social media engagement, community-forum moderation, and book or training-content authorship — Microsoft formally recognizes.

The benefits MVPs receive are tangible but, by any honest accounting, modest in dollar terms: free Microsoft software licenses, free conference passes to Build and Ignite and other Microsoft events, MVP-only social functions, direct access to Microsoft product teams under NDA, occasional preview-build participation, and a public credential that confers professional credibility in the Microsoft-ecosystem labor market. The program is annual and renewable at Microsoft's sole discretion. Microsoft can decline to renew any MVP's status for any reason.

What the MVP program does structurally is create a population of independent voices whose continued benefits are conditional on not publicly contradicting Microsoft in ways that Microsoft management finds inconvenient. Multiple documented cases exist of MVPs losing their status after public criticism of Microsoft — the Jeffrey Snover situation in 2018 is one widely-discussed instance; several others have surfaced in the years since. The pattern is clear enough that MVPs operate with implicit awareness of the renewal-decision dynamic when they post publicly about contested topics.

Free cookies for collaborators is the historical-pattern shorthand for this dynamic. The benefits are individually cheap on the issuer's side — a conference pass, a software license, a credential line item on a LinkedIn profile — but the cumulative loyalty extraction across a 3,500-person ambassador population is enormously expensive in vendor-amplification terms. The Vichy-era usage of the term "collaborator" is the precise historical analog: small incentives offered systematically to a population whose alignment is then deployable at scale when the issuer needs structural amplification on a contested point. This is not a moral judgment about individual MVPs, many of whom are genuinely excellent technical practitioners whose work would deserve recognition independent of the program. It is a structural observation about what the program does mechanistically.

When the MSRC blog landed on May 27 calling researcher disclosures "criminal activity" and threatening Digital Crimes Unit pursuit, the MVP community's social-media response was the predictable structural amplification kicking in. Many MVPs amplified Microsoft's framing on LinkedIn, Twitter/X, Bluesky, and Mastodon during the days following the post. Most did not disclose their MVP status in the same posts. The effective result was that the social-media discourse around the MSRC framing appeared to have substantial community support — when in fact the community support was substantially channeled through people whose annual-renewable benefits create a structural incentive to provide it.

Cris Thomas's voice is the corrective to that asymmetry. One L0pht-veteran independent researcher with thirty years of community credibility carries more genuine authority on responsible-disclosure norms than thousands of MVP-amplified posts that read like the structural amplification they are. The asymmetry is the message.

What July 14 will tell us

Cris's closing observation — July 14th is going to be interesting — is the next-Patch-Tuesday signal. Microsoft has two paths from here, and the path they choose will reveal what the MSRC May 27 blog was really about:

Path one: fix the bugs. Microsoft ships patches for the six vulnerabilities Nightmare Eclipse disclosed (RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma) in the July 14 Patch Tuesday cycle. The Digital Crimes Unit posturing quiets down. The MSRC blog's framing gets walked back implicitly through the fact that the patches arrive. Microsoft's customers get protected, which the MSRC blog claimed was the goal. The institutional-memory veterans like Cris Thomas note that the system worked the way the disclosure framework intended, despite the rhetoric. The infosec community moves on to the next dispute.

Path two: escalate. Microsoft pursues legal action against Nightmare Eclipse and visibly against any party Microsoft considers an "enabler" of the disclosures. The patches for the six CVEs arrive on a slow track or with reduced public framing. The MSRC posture from May 27 becomes the operating framework going forward. The chilling effect on independent vulnerability research escalates because the precedent has been set. Cris Thomas, Beaumont, Krebs, and the broader independent-research community read the path-two response as confirmation that the May 27 blog was indeed PR positioning rather than security-policy substance. Other security-vendor MVP-class programs at other companies notice the precedent and consider their own postures.

The path Microsoft chooses tells us what the May 27 blog was really about. The next-Patch-Tuesday is the test.

What stays true regardless of path

The institutional-memory veterans like Cris Thomas exist for moments like this one. The historical framework around responsible disclosure was built by community researchers with thirty years of cumulative argument, not by vendor PR departments with a quarter-cycle of strategic-comms planning. The framework is the property of the community that built it. Microsoft can choose to participate in good faith or not. When it does not, the framework remains, the institutional memory remains, and the next generation of researchers learns from the institutional-memory veterans what the framework actually was supposed to do.

Cris Thomas is one of the seven people who carried this argument to the U.S. Senate in 1998. His voice on the current Microsoft posture is the most authoritative independent-researcher voice that could weigh in on it. Whether Nightmare Eclipse personally is sympathetic or not, whether the employment-dispute backstory eventually surfaces details that change the personal narrative or not, the framework Cris Thomas helped build is structurally robust enough to survive any single dispute and any single vendor's misuse of it. Researchers will keep finding bugs. Vendors will keep choosing how to participate in the framework. The chilling effect Microsoft is attempting through the MSRC May 27 blog will be measured in research output over the next twenty-four months and the answer will be in the disclosure-rate data.

We are downstream of all of it. Our job is to publish the receipts, honor the institutional memory, name the structural-amplification dynamics for what they are, and let the framework that Cris Thomas and his colleagues built do its work over the next quarters. The L0pht alumni continue to be active in 2026 because the work they started in 1992 is still load-bearing. The arc bends slowly. The history matters.

The receipts compound

The threat intelligence in this post — and the broader institutional-memory framing of how vulnerability disclosure actually works between researchers and vendors — connects directly to the technical-receipt work DugganUSA publishes through our public STIX 2.1 threat-intelligence feed. Free. No credit card. Machine-consumable. Registration takes thirty seconds at [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register).

Yesterday we documented that customers consuming our feed had visibility on the BlueHammer Microsoft Defender CVE — one of the six vulnerabilities Cris Thomas is naming in this dispute — for forty days before Microsoft's MSRC blog officially acknowledged the cluster. That receipt is the operational embodiment of the framework Cris Thomas helped build: independent researchers disclose, public threat intelligence amplifies, defenders downstream get protected ahead of the vendor-coordination cycle. The asymmetry inversion is real, it is dated, and it compounds for whoever subscribes.

The cheapest defender posture beats the most expensive defender brand. Subscribe. The receipts compound.

— Patrick Duggan · DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com