Pierluigi Paganini
May 29, 2026
Over the past month, a researcher going by Chaotic Eclipse, also known as Nightmare-Eclipse, publicly released details of six unpatched vulnerabilities in Windows components including Defender and BitLocker. No prior notice to Microsoft. No coordination. Just published, with proof-of-concept code attached. Three of those vulnerabilities, BlueHammer, RedSun, and UnDefend, have since been exploited in the wild.
Microsoft’s Security Response Center responded on Tuesday with a blog post that was polite in tone and unambiguous in message.
“In recent weeks several zero-day vulnerabilities have been publicly disclosed.” reads the report published by Microsoft. “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.”
The company says its security teams have been working around the clock since the disclosures to understand the impact, build patches, and protect customers from attackers who picked up the published exploit code and ran with it.
The post is essentially a public defense of Coordinated Vulnerability Disclosure, the standard practice where a researcher notifies a vendor privately, gives them time to fix the issue, and then goes public. Microsoft says it works with hundreds of researchers this way every year, compensating them through bug bounty programs and crediting them publicly.
“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors.” continues the report. “The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed.”
The implication is clear: when someone skips that step, real people get attacked with real tools built from the published research.
The researcher’s side of the story is messier. In a blog post published over the weekend, Chaotic Eclipse described a pattern of ignored reports, deleted accounts, and what they perceived as public humiliation by Microsoft in a CVE advisory. They said Microsoft deleted the account they used to submit bug reports, paid them nothing, and then flagged their GitHub account for removal after the disclosures.
“So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me, and made sure to insult me in front of people.” said Chaotic Eclipse. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot. Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I’m done begging you. I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can’t release it yet. Why ? Microsoft still has chains in my hands, it’s been like this for years and I just can’t stay silent anymore. I hope I can release the documents soon.”
GitHub took down the account. The exploit code was then uploaded to GitLab, where the newly created account has also since been blocked.
The researcher also announced they plan to release something on July 14, 2026.
“Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).” continues Chaotic Eclipse.
That’s a threat vague enough to cover anything from another vulnerability dump to something more serious, and it’s the kind of language that tends to accelerate law enforcement interest.
Microsoft’s post mentions its Digital Crimes Unit will “continue bringing cases” against actors who harm customers, which may or may not be a signal about what comes next.
The broader dispute cuts to a real tension in security research. Microsoft’s position, that uncoordinated disclosure with working exploit code is never justified, is defensible when the vendor acts in good faith. The researcher’s position, that Microsoft ignored legitimate reports, deleted their account, and publicly misrepresented their work, would also be defensible if accurate. Neither party has provided a complete timeline of what was reported, when, and how Microsoft responded. That’s the part that matters, and it’s the part neither side has made transparent.
“We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.” concludes Microsoft. “These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities. “
That’s a reasonable thing to say. It lands differently when three of the vulnerabilities you’re describing as “unnecessarily disclosed” are already being used in active attacks against your customers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Zero-Day)
