Microsoft bans security researcher over zero-day exploits, sparking industry backlash

At a glance:

• Microsoft banned security researcher Nightmare-Eclipse from GitHub after they published multiple Windows zero-day exploits.
• Eclipse claims the ban was vindictive and alleges unpaid bug bounties, with a threat of more exploits on July 14.
• Experts criticize Microsoft's handling, citing policy changes in the MSRC program and potential risks to security practices.

What happened

Microsoft has banned the GitHub account of security researcher Nightmare-Eclipse (also known as Chaotic Eclipse) following a dispute over the publication of several Windows zero-day exploits. The ban forced the researcher to migrate their work to GitLab, while Microsoft allegedly deleted Eclipse's account used for submitting bug reports. The conflict centers on the researcher's claims that the company failed to communicate or compensate them for disclosed vulnerabilities, despite the existence of Microsoft's bug bounty program, which offers up to $30,000–$100,000 for end-point zero-days and $250,000 for Hyper-V exploits.

Eclipse, who has documented six zero-day exploits since early April, alleges that Microsoft's actions were retaliatory. In a blog post, they wrote, "[They were] told personally by [Microsoft] that they will ruin my life and they did," and hinted at a "dead-man switch" that could lead to further exploits being released. The researcher's dramatic rhetoric includes threats like "I will make sure [Microsoft's] bones are shattered," though the exact motivations remain unclear.

The researcher's claims

Eclipse's dispute with Microsoft began in April when they published the BlueHammer exploit without prior notice. Their blog posts, described as "unclear and passionate," accuse Microsoft of ignoring or refusing their vulnerability reports and withholding bounties. The researcher emphasizes they received "zero pennies" despite their contributions, suggesting financial harm. They also claim that Microsoft's refusal to engage led to the decision to publish exploits publicly, bypassing traditional disclosure protocols.

The researcher's technical track record includes a series of high-impact vulnerabilities:

• BlueHammer: Exploits Windows Defender to gain SYSTEM-level access.
• RedSun: Similar SYSTEM access via an unspecified vulnerability.
• UnDefend: Disables Windows Defender entirely.
• GreenPlasma: Leverages the CTFMon service for SYSTEM access.
• MiniPlasma: Exploits a flaw in the Windows Cloud Filter driver.
• YellowKey: Bypasses BitLocker encryption to access encrypted drives.

Three of these exploits (BlueHammer, RedSun, UnDefend) are confirmed to be actively exploited in the wild, raising concerns about the potential misuse of the others.

Expert commentary

William Dormann, a security expert at Tharros, criticized Microsoft's approach, stating, "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers." Dormann speculated that Microsoft may have closed the case after Eclipse refused to submit a video of the exploit, which he claims is now an MSRC requirement. This shift in policy, according to Dormann, reflects a broader trend of prioritizing cost-cutting over effective security collaboration.

The incident has drawn scrutiny from the cybersecurity community, with many arguing that banning researchers undermines transparency and security. Critics point out that the code was already public, making the ban largely symbolic and counterproductive. The optics of the situation are particularly damaging for Microsoft, as it appears to penalize a researcher for exposing vulnerabilities rather than addressing them.

Technical impact

The exploits published by Eclipse highlight critical flaws in Windows security infrastructure. BlueHammer, RedSun, and UnDefend have already been weaponized, with active exploitation reported by security firms. The remaining exploits (GreenPlasma, MiniPlasma, YellowKey) pose similar risks, especially given the partial or full proof-of-concept code shared by Eclipse. These vulnerabilities could allow attackers to escalate privileges, disable security features, or bypass encryption—actions that directly undermine the protections these systems are designed to provide.

The rapid dissemination of exploit code has raised alarms about the potential for widespread attacks. While Microsoft has not commented on the specifics, the lack of a coordinated disclosure process may have accelerated the vulnerabilities' exposure to malicious actors.

Broader implications

This incident underscores growing tensions between tech companies and independent security researchers. As AI-driven tools accelerate vulnerability discovery, traditional 90-day disclosure windows are becoming obsolete. Eclipse's case reflects a broader debate about how companies like Microsoft should handle unpaid or unacknowledged reports, particularly when researchers feel their efforts are dismissed or penalized.

Industry experts argue that rigid policies and reduced human oversight at MSRC may be eroding trust in Microsoft's security ecosystem. The researcher's threats of further retaliation, including a July 14 "reckoning," suggest that unresolved disputes could escalate into more publicized vulnerabilities. For Microsoft, the challenge lies in balancing internal policies with the need to maintain collaborative relationships in the security community.

The fallout from this incident may influence how other companies approach bug bounty programs and researcher engagement. As the line between ethical hacking and corporate retribution blurs, the cybersecurity landscape faces renewed questions about accountability, transparency, and the role of independent researchers in safeguarding digital infrastructure.