The ongoing conflict between Microsoft and the security researcher known as Nightmare Eclipse has escalated dramatically, with the latter threatening a significant release of vulnerabilities on July 14. Nightmare, who has already disclosed six zero-day vulnerabilities affecting Windows, has positioned themselves as a formidable adversary to the tech giant. In response, Microsoft issued a blog post addressing the vulnerabilities, which include RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. The company stated that none of these vulnerabilities were reported through its official channels before their public disclosure.
Following the release of proof-of-concept exploit code for three of the vulnerabilities—BlueHammer, RedSun, and UnDefend—attackers quickly began to exploit these weaknesses. Microsoft has expressed concern over the potential for exploitation, particularly regarding YellowKey (CVE-2026-45585), which has yet to receive a fix. In a blog post, Microsoft firmly opposed the actions of Nightmare, emphasizing the dangers of uncoordinated vulnerability disclosures and hinting at possible legal repercussions. “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable,” the company stated, underscoring the real-world consequences of such actions.
MORE CONTEXT
Despite Microsoft’s firm stance, Nightmare has accused the company of silencing them by deleting their Microsoft Security Response Center (MSRC) account, which they claim prevented them from reporting vulnerabilities. In a recent communication, Nightmare expressed frustration over their treatment by Microsoft, stating, “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.” They further warned that their upcoming release on July 14 would be significant, declaring, “Mark this date, I will make sure your bones are shattered that day.”
The ramifications of this conflict have already been felt within the cybersecurity community. Systems engineer Muhammad Qasim Shahzad remarked on LinkedIn that Nightmare has caused more enterprise-level damage in a short span than many advanced persistent threat (APT) groups achieve in an entire year. This rapid pace of vulnerability disclosure and exploitation raises alarms about the shrinking window for organizations to patch their systems.
Dustin Childs, head of the Zero Day Initiative, reflected on the situation, suggesting that Microsoft could have navigated the circumstances more effectively. He noted that coordinated vulnerability disclosure (CVD) is a two-way street, where both the vendor and the researcher share responsibility. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold,” he remarked. Childs also highlighted the need for clearer communication from Microsoft regarding the risks associated with the disclosed vulnerabilities.
“This is a dumpster fire of [Microsoft’s] own making.”
Katie Moussouris, founder and CEO of Luta Security, criticized Microsoft’s response, describing it as sending mixed messages. She pointed out that the company’s statement claimed to ensure researchers are compensated and acknowledged, yet Nightmare asserted they received neither. Moussouris also criticized the use of the term “responsible disclosure,” which she believes complicates coordination efforts between researchers and vendors. “The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional,” she stated.
Kevin Beaumont, another former Microsoft employee, characterized the situation as a “dumpster fire” resulting from Microsoft’s own actions. He noted the inconsistency in the company’s approach, referencing past instances where Microsoft hired researchers who had publicly disclosed zero-day exploits. Beaumont cautioned that if Microsoft aims to criminalize deviations from their disclosure framework, they may face significant challenges in court, given their own history.
“The bugs are Microsoft’s.”
Moussouris emphasized that the responsibility for the vulnerabilities ultimately lies with Microsoft, as they are the creators of the code. She pointed out that researchers often resort to extreme measures only when they feel all legitimate communication channels have been closed off. This dynamic reflects a broader issue within the industry, where researchers have voiced concerns about Microsoft’s handling of vulnerability disclosures for years. Childs noted that while some companies have improved their practices, Microsoft remains perceived as difficult to work with, particularly for non-critical bugs.
As the cybersecurity landscape continues to evolve, the challenges surrounding vulnerability disclosure are likely to intensify, especially with the rise of AI-assisted bug reporting. Childs concluded by urging the industry to recognize the human element involved in these interactions, as poor communication can lead to significant risks for end users. “Real-world impact is lost far too often when disclosure goes wrong,” he cautioned.
