Reciprocal disclosure — a normative framework that holds researchers, vendors, and intermediary platforms to the same standard in vulnerability disclosure relationships, instead of loading all the moral weight onto the researcher. Built on 15 principles across five categories (foundational, epistemic, operational, distributive, structural) and introducing four new terms: retaliation by infrastructure, tone displacement, silent patching, and chaining awareness.
Retaliation by Infrastructure
The use of platform control, account management, and institutional access as instruments of punishment rather than engagement
Tone Displacement
The deflection of attention from the substance of a disclosure to the manner of its delivery — engaging the speaker’s style instead of their evidence
Silent Patching
Fixing a vulnerability without public disclosure or researcher credit, while publicly condemning the person who reported it
Chaining Awareness
The obligation to evaluate vulnerability reports not only for individual severity but for their potential to be combined into exploit chains
Abstract
Bug bounty programs and coordinated vulnerability disclosure (CVD) frameworks are widely regarded as means of aligning the interests of independent security researchers with that of software vendors. This paper argues that the ethical sustainability of these frameworks depends not on their formal structure but on the quality of moral give-and-take (reciprocity) between researcher and organization. Drawing on Cialdini’s (2006) principle of reciprocity, Fricker’s (2007) concept of epistemic injustice, and the existing ethics of disclosure literature, this paper examines the case of Nightmare Eclipse — a security researcher who shifted from cooperative disclosure to publicly releasing a series of zero-day exploits targeting Microsoft Windows, including core components such as Windows Defender and BitLocker, after experiencing what they describe as systemic dismissal, undervaluation, and legal intimidation.
The case is notable for its scale, as three of the first six disclosed vulnerabilities were exploited in the wild, attackers were able to chain them with ransomware deployments, and the researcher’s GitHub and GitLab accounts were swiftly suspended in what can only be described as an institutional effort to suppress further disclosure. These were not vulnerabilities in a niche product either — Windows runs on over 1.4 billion active devices worldwide (Mehdi, 2025), dominates the global desktop market (StatCounter, 2026) and serves as the backbone of most enterprise IT environments — meaning the fallout affected businesses, hospitals, governments and critical infrastructure that depend on it every day.
The argument is that this case exposes a structural failure — and a form of epistemic injustice — in how organizations conceive of their moral obligations toward vulnerability reporters and that the resulting harm to end users, enterprises and the broader international security environment constitutes a foreseeable consequence of institutional bad faith. The paper proposes a normative framework focused on the concept of reciprocal disclosure — a reframing that puts the same expectations on both sides and accounts for the fact that the researcher and the organization do not hold equal power in this relationship.
I am the author of the blog post cited in this paper as DudeTechItOut (2025). This paper builds on and provides the philosophical framework for ideas I first explored there.
Sections
1
Introduction
The strange kind of power a researcher holds, and the moral compact that is supposed to govern it
2
How vulnerability disclosure is supposed to work
CVD frameworks, ISO standards, the implicit moral compact, and the five-phase Nightmare Eclipse chronology
3
Reciprocity as the moral foundation
Cialdini, Axelrod, illegitimate tasks, and the litmus test as reciprocity testing
4
Epistemic injustice and the researcher–organization dynamic
Fricker’s testimonial injustice applied to bug bounty programs, severity disputes, and institutional credibility deflation
5
Ethics of going public
Consequentialist, deontological, and virtue ethics analysis of adversarial disclosure — including the counterargument
6
The role of intermediary platforms
How HackerOne, Bugcrowd, and OpenBugBounty shape the ethical landscape between researchers and vendors
7
Naming what the current model gets wrong
Fifteen principles across five categories, and the case for replacing “responsible disclosure” with reciprocal disclosure
Cite
APA 7MLA 9ChicagoHarvardIEEEBibTeX
Herrick, J. (2026). Reciprocal disclosure and the ethics of vulnerability reporting: A cybersecurity ethics case study of Nightmare Eclipse. Dude Tech IT Out. https://dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf
Herrick, James. “Reciprocal Disclosure and the Ethics of Vulnerability Reporting: A Cybersecurity Ethics Case Study of Nightmare Eclipse.” Dude Tech IT Out, 2026. dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf.
Herrick, James. “Reciprocal Disclosure and the Ethics of Vulnerability Reporting: A Cybersecurity Ethics Case Study of Nightmare Eclipse.” Dude Tech IT Out, 2026. https://dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf.
Herrick, J. (2026) Reciprocal disclosure and the ethics of vulnerability reporting: A cybersecurity ethics case study of Nightmare Eclipse. Dude Tech IT Out. Available at: https://dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf.
J. Herrick, “Reciprocal disclosure and the ethics of vulnerability reporting: A cybersecurity ethics case study of Nightmare Eclipse,” Dude Tech IT Out, 2026. [Online]. Available: https://dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf
@article{herrick2026reciprocal,
author = {Herrick, James},
title = {Reciprocal Disclosure and the Ethics of Vulnerability Reporting: A Cybersecurity Ethics Case Study of {Nightmare Eclipse}},
year = {2026},
journal = {Dude Tech IT Out},
url = {https://dudetechitout.com/papers/Herrick_2026_Reciprocal_Disclosure.pdf}
}
