Earlier this week, Microsoft addressed three zero-day vulnerabilities that were brought to light by the security researcher known as “Chaotic Eclipse,” or Nightmare-Eclipse. These vulnerabilities, dubbed YellowKey, GreenPlasma, and MiniPlasma, were initially disclosed last month and have raised significant concerns within the cybersecurity community.
Details of the Vulnerabilities
The YellowKey vulnerability, in particular, has garnered attention for its ability to grant access to BitLocker-protected drives on Windows 11 using a simple USB key. This revelation has led to allegations from Nightmare that Microsoft may have “intentionally” left a backdoor in this critical security feature.
In response to these findings, Microsoft rolled out a mitigation strategy aimed at restoring trust in BitLocker’s functionality within the Windows Recovery Environment (WinRE). This fix was included in the June 2026 Patch Tuesday updates, which collectively addressed over 200 security flaws.
Ongoing Tensions
The recent weeks have highlighted a contentious dialogue between Microsoft and Nightmare-Eclipse regarding the protocols for reporting vulnerabilities and the compensation for researchers. Microsoft expressed concerns that the public disclosure of unpatched vulnerabilities, along with the associated exploit code, jeopardized the safety of its users.
Initially, the tech giant even threatened legal action against the researcher, a move that sparked widespread outrage among cybersecurity professionals. Following this backlash, Microsoft retracted its threat, but tensions remained high.
Nightmare-Eclipse has alleged that Microsoft retaliated by banning their GitHub account and deleting their Microsoft account, describing the experience as deeply distressing. “[They were] told personally by [Microsoft] that they will ruin my life, and they did,” Nightmare stated, characterizing Microsoft’s actions as vindictive.
In response to these claims, Microsoft clarified that it does not deactivate accounts on the Microsoft Security Response Center (MSRC) researcher portal, where vulnerabilities can be submitted. The company stated, “Microsoft cannot confirm which account this person is claiming was deactivated.”
Broader Implications
This situation unfolds against a backdrop of increasingly sophisticated tactics employed by scammers and malicious actors seeking unauthorized access to sensitive information. Just last month, reports surfaced about scammers exploiting a legitimate Microsoft email address used for two-factor authentication (2FA) codes to deceive unsuspecting users.
As the cybersecurity landscape continues to evolve, the dialogue between tech giants and security researchers remains crucial in fostering a safer digital environment for all users.
