Microsoft Condemns Uncoordinated Zero-Day Disclosures Following GitHub Account Suspension
Microsoft has recently emphasized the importance of Coordinated Vulnerability Disclosure (CVD), urging security researchers to share their findings with vendors before making them public. This appeal follows the actions of a researcher known as Chaotic Eclipse, also referred to as Nightmare-Eclipse, who disclosed multiple zero-day vulnerabilities affecting Windows components such as Defender and BitLocker. The researcher cited dissatisfaction with Microsoft’s handling of the vulnerability disclosure process as the reason for the public releases.
In a statement, Microsoft expressed concern over these uncoordinated disclosures, noting that the vulnerabilities were not shared with the company prior to their public release. The company stated, The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk. As a result, Microsoft’s security teams have been working diligently to assess the impact, protect customers, and develop necessary security updates.
The disclosed vulnerabilities include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Notably, BlueHammer, RedSun, and UnDefend have been actively exploited in the wild following their disclosure.
Microsoft firmly opposes such uncoordinated disclosures, emphasizing that releasing proof-of-concept code for unpatched vulnerabilities can have real-world consequences when exploited by malicious actors. The company stated, We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. These conversations occur at researcher appreciation events, security conferences, and through daily collaboration to understand and address vulnerabilities.
The fallout from these disclosures has led to GitHub suspending the researcher’s account. Although the exploit code for the six vulnerabilities was subsequently uploaded to GitLab, the newly created account has since been blocked.
In a blog post, the researcher expressed frustration with Microsoft’s response, stating, So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me, and made sure to insult me in front of people. The researcher also indicated plans to release additional information on July 14, 2026, warning, It will make sure your bones are shattered that day.
This incident underscores the ongoing debate within the cybersecurity community regarding the best practices for vulnerability disclosure. While researchers play a crucial role in identifying and reporting security flaws, the method and timing of disclosure can significantly impact the security of users and organizations.
Coordinated Vulnerability Disclosure (CVD) is a process where security researchers privately report vulnerabilities to vendors, allowing them time to develop and release patches before the information becomes public. This approach aims to minimize the risk of exploitation by malicious actors who might take advantage of publicly disclosed vulnerabilities before fixes are available.
Microsoft’s advocacy for CVD aligns with industry standards and practices. The company has established channels for researchers to report vulnerabilities, offering recognition and sometimes financial rewards through programs like the Microsoft Bug Bounty Program. By encouraging researchers to report vulnerabilities directly, Microsoft aims to foster a collaborative environment that enhances security for all users.
However, the relationship between security researchers and vendors can sometimes be strained. Researchers may feel that their findings are not taken seriously or that vendors are slow to respond, leading to frustration and, in some cases, public disclosure of vulnerabilities. Such disclosures can put users at risk, especially if the vulnerabilities are exploited before patches are available.
The case of Chaotic Eclipse highlights these tensions. The researcher felt compelled to disclose vulnerabilities publicly due to perceived shortcomings in Microsoft’s handling of the disclosure process. This action, while drawing attention to the vulnerabilities, also exposed users to potential risks, as evidenced by the active exploitation of some of the disclosed flaws.
In response to the public disclosures, Microsoft has reiterated its commitment to working with the security research community. The company acknowledges that while there may be disagreements, transparency and open dialogue are essential for improving security. By engaging with researchers through various forums and events, Microsoft aims to build trust and encourage responsible disclosure practices.
The suspension of the researcher’s GitHub account and the subsequent blocking of their GitLab account reflect the broader industry’s stance on uncoordinated disclosures. Platforms that host code and research are increasingly enforcing policies that discourage the public release of unpatched vulnerabilities. These measures aim to prevent the spread of exploit code that could be used maliciously, thereby protecting users and organizations from potential attacks.
This incident serves as a reminder of the delicate balance between the need for transparency in security research and the imperative to protect users from harm. While researchers are vital in identifying and reporting vulnerabilities, the manner in which these findings are disclosed can have significant implications. Coordinated disclosure practices, though sometimes slower, aim to ensure that vulnerabilities are addressed responsibly, reducing the window of opportunity for exploitation.
As the cybersecurity landscape continues to evolve, fostering a collaborative relationship between researchers and vendors remains crucial. By working together and adhering to coordinated disclosure practices, the community can enhance security and protect users from emerging threats.
