Microsoft’s ongoing dispute with the security researcher that goes by the handle of Nightmare-Eclipse continued to escalate this week, with the researcher being blocked from GitLab just days after Microsoft-owned GitHub did the same, and the vendor calling them out in a blog post.

In response, Nightmare-Eclipse – who also goes by the name Chaotic Eclipse – in their own blog aired complaints about past treatment by Microsoft when they disclosed vulnerabilities to the IT giant and issued a vague warning that on July 14, “I will make sure your bones are shattered that day.”

It’s the latest escalation in a fast-moving situation that has fueled the debate about the responsibility researchers like Nightmare-Eclipse have in disclosing found vulnerabilities to vendors before making them public to allow for patches to be generated and issued, and those incumbent upon the companies to work openly and honestly with those making disclosures.

“Coordinated disclosure is a reciprocal contract, and Microsoft’s column defends the half that researchers owe while staying silent on its own,” Mitch Ashley, vice president and practice lead for software lifecycle engineering at The Futurum Group, told Security Boulevard. “The norm survives only as long as vendors triage in good faith, hold to timelines, and fully close the flaws reported to them.”

Ashley added that “the pressure lands on security buyers, who should judge vendors on remediation record over disclosure rhetoric. A 2020 flaw still reaching SYSTEM on fully patched Windows is the verification failure, a column about shared responsibility cannot defer.”

Rogue Disclosures Raise Security Risks

In the blog post, Microsoft pointed to six vulnerabilities that Nightmare-Eclipse disclosed publicly over the past two months, rather than going through the cybersecurity industry’s Coordinated Vulnerability Disclosure (CVD) process, which is designed so that security researchers can share their findings with the vendors so they have the chance to delve into the impact of the vulnerability and address it before the details are made public.

“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors,” Microsoft wrote. “Through this valuable partnership, we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise.”

The vendor pointed to six security flaws – known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma – that it said were not disclosed through the process. Instead, Nightmare-Eclipse released them publicly over the past few weeks without notifying Microsoft, which the company said put users at “unnecessary risk” and forced its security teams to work “around the clock to understand the impact, protect our customers, and develop security updates.”

Legal Ramifications Threatened

Microsoft appears determined to push the issue, writing that such uncoordinated disclosures that include proof-of-concept code “are never justifiable and have real-world consequences. … Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

Analysts with Huntress wrote in late April that they had seen at least three of them – BlueHammer, RedSun, and UnDefend – being exploited in the wild by bad actors.

Microsoft Mistreatment Alleged

For their part, Nightmare-Eclipse wrote that Microsoft mistreated them when they went through the disclosure process, including not paying them for their disclosures and deleting the Microsoft account they used to report previous bugs. Previous blogs over the past couple of weeks show the security researcher’s rising anger at the company.

“Microsoft has chosen to make this worse instead of resolving the situation like adults; they pulled every childish game possible,” they wrote. “My patience is running out; you’re making everyone else pay for it.”

The controversy highlights the at-times contentious nature of the relationship between researchers who disclose vulnerabilities to vendors and how vendors at times address those disclosures. Some in the cybersecurity field are openly critical of the security researcher’s methods.

Taking Sides

Barracuda Networks last week called Nightmare-Eclipse a “malicious actor driven by a personal grievance against Microsoft” and suggested that they might be a former Microsoft employee based on their seemingly deep familiarity with the vendor’s codebase and architecture.

“Whether this person is a former employee, a former contractor, or an external researcher with a professional history tied to Microsoft remains an open question,” Barracuda wrote in a blog post, adding that they can identify and exploit zero-day flaws in Windows components and are weaponizing the capability against Microsoft. “These are the actions of a malicious actor – not a whistleblower, not a responsible disclosure advocate, and not a neutral researcher.”

Nightmare-Eclipse is finding a more sympathetic ear on Reddit, where posters say they understand the security researcher’s frustration even if they might not agree with their methods.

“I have zero pity for the company, given their poor track record for security and treatment of their own consumers tbh,” one poster wrote. “They basically taunted him. I am not saying what he did was ‘right’ or even legal but what other choice … did they really leave him? He clearly had no interest in selling it, or else he would have done so without telling anyone.”

Recent Articles By Author

• France to Stop Certifying Products Without Quantum-Safe Encryption in 2027
• Malwarebytes Finds Ad Scams Hidden in 40+ World Cup Streaming Sites
• Google Sues Chinese Threat Group Using Gemini AI in Phishing Scams

More from Jeffrey Burt