Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal
Source: The Hacker News
Microsoft’s stance on coordinated vulnerability disclosure
Microsoft has reiterated its support for Coordinated Vulnerability Disclosure (CVD), urging researchers to share findings with vendors before public release. The company argues that this approach allows vendors to understand the impact and develop mitigations, reducing risk to customers.
“In recent weeks, several zero‑day vulnerabilities have been publicly disclosed,” Microsoft wrote in a blog post. “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.”
Source
Zero‑day vulnerabilities disclosed
A researcher known as Chaotic Eclipse (aka Nightmare‑Eclipse) disclosed multiple zero‑day vulnerabilities affecting Windows components such as Defender and BitLocker. The disclosed bugs include:
| Vulnerability | CVE | Status |
|---|---|---|
| BlueHammer | CVE‑2026‑33825 | Actively exploited |
| RedSun | CVE‑2026‑41091 | Actively exploited |
| UnDefend | CVE‑2026‑45498 | Actively exploited |
| YellowKey | CVE‑2026‑45585 | Not yet exploited |
| GreenPlasma | — | — |
| MiniPlasma | — | — |
Links to original coverage
Microsoft’s response
Microsoft stated that it “firmly” opposes uncoordinated disclosures and warned that publishing proof‑of‑concept code for unpatched vulnerabilities can have real‑world consequences when it falls into the hands of malicious actors.
The company emphasized its commitment to dialogue with the security community:
“We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”
Microsoft also noted that its security teams have been working “around the clock” to assess impact, protect customers, and develop security updates.
GitHub account removal
Following the disclosures, GitHub removed the researcher’s account. The exploit code for the six vulnerabilities was later uploaded to GitLab, but the newly created GitLab account has also been blocked.
Researcher’s reaction
The researcher posted a response accusing Microsoft of harassment and threatening further action:
“So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me, and made sure to insult me in front of people… You defame me in public with your CVE‑2026‑45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with… Now you take the courtesy to flag my GitHub account and wipe it out of the public, just like that? … I intend to release something on July 14, 2026, that will make sure your bones are shattered that day.”
Source