Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life' — expert claims action is vindictive and promises further retaliation
Source: Tom’s Hardware
Image credit: Getty Images
Background
A dispute has emerged between security researcher Nightmare‑Eclipse (also known as Chaotic Eclipse) and Microsoft. Microsoft banned Eclipse’s GitHub account for unspecified reasons, prompting the researcher to move their work to GitLab. The Microsoft account Eclipse used for reporting vulnerabilities was also reportedly deleted.
Eclipse’s Claims
In a blog post, Eclipse alleges that Microsoft’s actions are vindictive. The researcher states that Microsoft refused communication attempts and did not pay the bug bounties owed through the MSRC program, which can award up to $30,000–$100,000 per endpoint zero‑day and $250,000 for Hyper‑V exploits. Eclipse, who claims to have discovered six zero‑day exploits, warned that July 14 could bring further disclosures.
Eclipse’s dispute dates back to early April, when the BlueHammer zero‑day was published without prior warning. The researcher accuses Microsoft of ignoring or refusing their reports and of causing financial harm by withholding bounty payments. Eclipse also claims to have been told personally by Microsoft that “they will ruin my life and they did,” and mentions a “dead‑man switch” and threats to “shatter Microsoft’s bones.”
Expert Commentary
Security analyst William Dormann (Tharros) commented that “MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers.” Dormann speculated that Microsoft may have closed the case after Eclipse refused to submit a video of the exploit, which he described as a current MSRC requirement.
Microsoft’s Position
Microsoft has not provided details about the ban or the alleged bounty dispute, leaving it unclear whether the issue stems from a researcher not following standard disclosure procedures or from the company’s handling of security reports.
Implications for Security
The ban has drawn criticism for its poor optics and limited impact on security, as the exploit code remains publicly available. In an era where AI‑assisted research is shortening the time‑to‑exploit window, traditional 90‑day disclosure timelines are becoming obsolete. Both the time‑until‑exploit and the number of unused exploits are approaching zero, suggesting that software vendors may need to revise their vulnerability handling policies.
Eclipse’s Exploits
Eclipse has published several Windows zero‑day exploits:
-
BlueHammer – Gains SYSTEM privileges via Windows Defender.
GitLab repository -
RedSun – Similar SYSTEM access via Defender.
GitLab repository -
UnDefend – Disables Windows Defender.
GitLab repository -
GreenPlasma – Obtains SYSTEM access through the CTFMon service.
GitLab repository -
MiniPlasma – Grants SYSTEM access via a flaw in the Windows Cloud Filter driver.
GitLab repository -
YellowKey – Exploits a BitLocker vulnerability that allows attackers to open encrypted drives with minimal effort.
Tom’s Hardware article
BlueHammer, RedSun, and UnDefend have been confirmed to be actively exploited in the wild, and the public release of proof‑of‑concept code makes it easy for others to weaponize the remaining exploits.