Microsoft Security Response Center (MSRC) on May 27 appeared to threaten legal action over the uncoordinated disclosure of six impactful zero days.

Now it’s trying to turn down the temperature. 

The central security team has faced a public barrage of criticism from a security researcher going by the handle Nightmare Eclipse/Chaotic Eclipse.

The researcher, believed to be young, alleges that MSRC has attempted to muzzle them – ultimately shutting down their GitHub and GitLab accounts after they publicly posted a flurry of exploits for bugs they had found.

In a May 27 blog, MSCR had pointed specifically to the ongoing situation and then commented that “Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these…Our Digital Crimes Unit will continue bringing cases against these actors.”

“Literally gave me free vulnerabilities”

Many in the security community took that as a highly regressive threat to penalise public bug disclosure outside of MSRCs “coordinated vulnerability disclosure” (CVD) programme.

In a show of solidarity, some even gifted potentially valuable (under bug bounty programmes) bugs to the researcher.

(As Nightmare Eclypse wrote on May 29: “Soooo, something extremely funny is happening. After the recent events, multiple researchers reached out to me and some just literally gave me free vulnerabilities…”) 

MSRC now says it is “listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile.”

"No intention to pursue action..."

In a post on social media today, Redmond’s team added: “We deeply value the security community, and will continue to take your feedback seriously. To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. 

“When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate. We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism.”

“We acknowledge that some interactions have fallen short and are working to learn from them… We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

The precise nature of Nightmare Eclypse’s relationship with Microsoft and their identity remain closely guarded. They have disclosed a series of highly novel vulnerabilities including a complete bypass of BitLocker encryption. 

The vulnerability, tracked as CVE-2026-45585 effectively makes any lost or stolen laptop a data breach incident and, as Microsoft admits, means a “successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.” 

Other exploits published by the researcher let attackers abuse a trio of Microsoft Defender vulnerabilities, tracked as RedSun (CVE-2026-41091) , UnDefend (CVE-2026-45498) and BlueHammer (CVE-2026-33825) for privilege escalation and have since have been exploited in the wild.

The link has been copied!