Microsoft Criticizes Public Zero-Day Disclosure Amid GitHub Researcher’s Account Deletion
Microsoft has come out in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and giving affected vendors an opportunity to better understand the impact and address it before it is made public.
The development comes after a researcher named Chaotic Eclipse (also known as Nightmare-Eclipse) disclosed details of several zero-day vulnerabilities affecting many Windows components, including Defender and BitLocker, last month, citing violations of Microsoft’s management of the vulnerability disclosure process.
“In recent weeks, zero-day vulnerabilities have been exposed publicly,” the tech giant said. “Details of this vulnerability were not shared with Microsoft before it was released, and disclosure puts our customers at unnecessary risk.”
“In response to the unnecessary risk created by this disclosure, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.”
The vulnerabilities include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. After being exposed, BlueHammer, RedSun, and UnDefend all came under active exploitation in the wild.
Microsoft said it was “strongly” opposed to such incoherent disclosures and that putting code in an open-source vulnerability-proof concept could have “real-world consequences” when it ends up in the hands of bad actors.
“We invite diverse perspectives that help the security community to work together to protect everyone. We recognize that we will not always agree on everything, but we are committed to opening up and continuing to create opportunities for dialogue,” said the technology giant.
“These conversations happen at researcher awareness events, security conferences, and the daily work we do together to understand and address vulnerabilities.”
The fallout from this disclosure is said to have led GitHub to take down the researcher’s account last week. Although the exploit code for the six vulnerabilities was later uploaded to GitLab, the newly created account has since been banned.
“So let me clarify this, when I actively asked you to contact me, you refused, humiliated me, made sure to insult me in front of people,” said the researcher in a post published over the weekend.
“You’re publicly insulting me with your CVE-2026-45585 advice even though you literally deleted the Microsoft account I used to report bugs to and I got zero cents for doing it and I happily made a fool of myself. Now you have the courtesy to flag my GitHub account and publicly delete it to prove that to everyone? [sic] to escalate this conflict but I’m done persuading you.”
The researcher also said that they intend to release something on July 14, 2026, “that will make sure that your bones break on that day.”
