Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14. 

Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public. 

Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts. 

YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC.

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare:

“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant. 

Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that.

“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.”

Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn. 

“One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”

Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point.

“CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”

Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.”

Microsoft's 'dumpster fire'

Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said Redmond’s response to Nightmare sends “mixed messages.”

“It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,” Moussouris told The Register. “The language choices are also not deescalating. Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.”

This phrase, Moussouris added, “got in the way of coordination” when the two sides disagreed about how to best protect end users.

“The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional, but then they wrap up the post saying they welcome reports regardless of disclosure history,” she said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it's hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.”

Security sleuth Kevin Beaumont, in his blog on the ongoing Microsoft-Nightmare Eclipse saga, called it a "dumpster fire of [Microsoft’s] own making.” 

Beaumont also used to work at Microsoft, and he noted that the Windows company previously hired a hacker called SandboxEscaper after she published zero-day POC exploits for Microsoft products - something that Redmond’s blog now describes as criminal.

“If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court - because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont said.

To be clear: neither Beaumont nor the researchers that The Reg spoke to support Nightmare’s zero-day antics. Childs called the “July 14” post “troubling” and Moussouris said the date plus “incendiary language … doesn't help organizations trying to make sense of the technical risk.” 

'David and Goliath dynamic' 

Moussouris did add that this latest missive, taken in context with the earlier blog posts, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher's grievances are serious and specific.” 

Ultimately, “the bugs are Microsoft's,” Moussouris said. “They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it’s users who lose when coordination negotiations fail."

While it’s a very extreme - perhaps the most extreme - example of coordinated disclosure gone wrong, it’s not an isolated problem. Researchers have been complaining about CVD, and specifically Redmond’s bug disclosure habits, for years. 

“While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”

Plus, these types of disagreements between researchers and bug bounty programs will likely increase, as AI-assisted bug reports become the norm and vulnerabilities skyrocket.

“We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.” ®