Microsoft 0-day feud escalates as researcher threatens another exploit dump
Recorded: May 29, 2026, 9:01 p.m.
| Original | Summarized |
Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump Jump to main content Search TOPICS Security All Security Cyber-crime Patches Research CSO Off-Prem All Off-Prem Edge + IoT Channel PaaS + IaaS SaaS On-Prem All On-Prem Systems Storage Networks HPC Personal Tech Cx0 Public Sector Software All Software AI + ML Applications Databases DevOps OSes Virtualization Offbeat All Offbeat Columnists Science BOFH Legal Bootnotes Site News About Us Special Features All Special Features HPE: AI Explainers RSA Conference Agentic AI The Future of the Datacenter AWS:Reinvent Nvidia GTC SC25 Supercomputing Month Computex 2026 Vendor Voice All Vendor Voice Infinidat Everpure Rubrik Make it real with Capgemini and AWS Money Movement Hub ZTE Nutanix: Scale Kubernetes. Not Chaos. AWS New Horizon Resources Intelligence Webinars & Events Newsletters Search Sign in Datacenter Security Microsoft AWS Developer Open Source IT Careers Columnists Who, Me? On Call REG AD Security Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops Jessica Lyons Jessica Published The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14. Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public. Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts. MORE CONTEXT Mystery Microsoft bug leaker keeps the zero-days coming Microsoft's massive Patch Tuesday: It's raining bugs Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits Microsoft promises more bug payouts, with or without a bounty program YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC. “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare:“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant. Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that.“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.” Mark this date July 14th, I will make sure your bones are shattered that day Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.”Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn. “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.” Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point.“CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.”Microsoft's 'dumpster fire'Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said Redmond’s response to Nightmare sends “mixed messages.”“It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,” Moussouris told The Register. “The language choices are also not deescalating. Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.”This phrase, Moussouris added, “got in the way of coordination” when the two sides disagreed about how to best protect end users.“The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional, but then they wrap up the post saying they welcome reports regardless of disclosure history,” she said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it's hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.” Security sleuth Kevin Beaumont, in his blog on the ongoing Microsoft-Nightmare Eclipse saga, called it a "dumpster fire of [Microsoft’s] own making.” Beaumont also used to work at Microsoft, and he noted that the Windows company previously hired a hacker called SandboxEscaper after she published zero-day POC exploits for Microsoft products - something that Redmond’s blog now describes as criminal.“If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court - because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont said.To be clear: neither Beaumont nor the researchers that The Reg spoke to support Nightmare’s zero-day antics. Childs called the “July 14” post “troubling” and Moussouris said the date plus “incendiary language … doesn't help organizations trying to make sense of the technical risk.” 'David and Goliath dynamic' Moussouris did add that this latest missive, taken in context with the earlier blog posts, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher's grievances are serious and specific.” Ultimately, “the bugs are Microsoft's,” Moussouris said. “They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it’s users who lose when coordination negotiations fail."While it’s a very extreme - perhaps the most extreme - example of coordinated disclosure gone wrong, it’s not an isolated problem. Researchers have been complaining about CVD, and specifically Redmond’s bug disclosure habits, for years. “While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”Plus, these types of disagreements between researchers and bug bounty programs will likely increase, as AI-assisted bug reports become the norm and vulnerabilities skyrocket.“We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.” ® microsoft REG AD public sector ICE to keep an eye on your eyes under $25M biometric scanner deal And you thought a face recognition app was intrusive? Security No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out Researcher reported the vuln in March. Maintainers haven't responded to his messages since PARTNER CONTENT AI and data sovereignty in Postgres: An answer to the datacenter energy crisis A billion AI agents walk into a power grid Legal 23andMe inherits lawsuit over 'disturbing' DNA data breach California AG claims genetics biz downplayed 2023 mega-leak while paying ransom to attacker Systems EU's digital sovereignty boo-boo may be the best thing to ever happen to the project DIY or die. Just don't let the CIA buy it software UCLA seeks pre-litigation resolution with Oracle Discussion understood to concern delayed SaaS transformation project MOST POPULAR AI + ML Google has seriously leaned into AI enshittification lately Security Anthropic to release Mythos-class models to the public Security Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops Operating Systems Linus Torvalds to ‘start being more hardnosed’ about ‘pointless pull requests’ – some of which come from AIs Security Megalodon chums the waters in 5.5K+ GitHub repo poisonings EVENTS Overcoming the trade-offs in data sovereignty From Prompt to Exploit: How LLMs Are Changing API Attacks Architecting the Future: Unlocking Enterprise Data Services for Kubernetes Catch the Advanced Attacks Microsoft 365 Misses with Behavioral AI Security Virtual Cyber Recovery Sim Virtual Cyber Recovery Simulation Agentic AI at Scale: From Pilot to Production EXPLORE ALL OF OUR EVENTS AI public sector Security ai + ml Legal software Infosec Security ai + ml Legal software PARTNER CONTENT FOSS No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out QEMU mulls relaxing AI contribution ban 23andMe inherits lawsuit over 'disturbing' DNA data breach UCLA seeks pre-litigation resolution with Oracle AI and data sovereignty in Postgres: An answer to the datacenter energy crisis Microsoft slaps new coat of paint on Copilot, buries annoying button FEATURES Europe built sovereign clouds to escape US control. Then forgot about the processors Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Europe wants out from under US tech – but first it has to find the exits GNOME may rule Ubuntu Resolute Raccoon, but X.org isn't roadkill yet OpenClaw, but in containers: Meet NanoClaw Open source registries don't have enough money to implement basic security Contain your Windows apps inside Linux Windows The Linux mid-life crisis that's an opportunity for Tux-led transformation Too much AI for some, too little for others: Why AMD can't win with investors How agentic AI can strain modern memory hierarchies Biting the hand that feeds IT About Us Contact usAdvertise with usWho we areNewsletter Our Websites The Next PlatformDevClassBlocks and FilesSituation Publishing Your Privacy Cookies PolicyPrivacy PolicyTs & CsDo not share my personal informationYour Consent Options Archives27 years of articles Copyright. All rights reserved © 1998-2026. |
The ongoing conflict between Microsoft and the security researcher Nightmare Eclipse, who has released six Windows zero-days, intensified with the researcher's threat of a public disclosure on July 14th. Microsoft responded to the researcher and the now-public vulnerabilities by publishing a blog post concerning coordinated vulnerability disclosure, acknowledging that these bugs were not reported through official channels beforehand. The specific vulnerabilities disclosed included RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Subsequent reports indicated that attackers began exploiting three of these vulnerabilities—BlueHammer, RedSun, and UnDefend—after Nightmare released working proof-of-concept exploit code on GitHub and GitLab accounts owned by Microsoft. Microsoft firmly stated its opposition to uncoordinated disclosures that could harm customers, warning that releasing proof-of-concept code for unpatched vulnerabilities to malicious actors is unjustifiable. The company indicated that its security teams continuously track threat actors and that its Digital Crimes Unit would pursue legal action against those enabling criminal activity, coordinating with global law enforcement as necessary. The researcher, Nightmare, countered this by alleging humiliation, claiming that Microsoft refused communication and withheld compensation, noting that a critical vulnerability, YellowKey, also lacked a fix, leading to concerns about its probable exploitation. The situation prompted broader reflection on the coordinated vulnerability disclosure (CVD) process. Dustin Childs, who has deep experience in the CVD process, suggested that the process is inherently a two-way street, placing responsibility on the vendor to improve communication and clearly define the risks and defensive measures for end-users. Luta Security founder and CEO Katie Moussouris observed that Microsoft's response offered mixed messages, invoking outdated terms like "responsible disclosure" which she felt hindered coordination. She argued that the dynamic between the researcher and the vendor represented a classic David and Goliath scenario, suggesting that the researcher's grievances were serious, stemming from feeling systematically shut out of legitimate channels for reporting flaws, and that the ultimate risk resided with the developers who authored the code. Other commentators viewed Microsoft's actions as indicative of a larger systemic issue, noting a pattern where researchers often face significant hurdles when dealing with vendors. Childs further emphasized the need for clearer direction from vendors regarding real risks, especially as AI-assisted bug reporting increases. This dispute is framed as part of a larger trend where the gap between vulnerability disclosure and weaponization is rapidly shrinking, as demonstrated by the impact of a single actor versus organized threat groups. Ultimately, the episode highlights the potential real-world consequences when coordination negotiations fail, emphasizing the need for robust security protocols and transparent communication to mitigate risks for the digital ecosystem. |