Two Faces of Microsoft’s MSRC: One Researcher Gets a CVE Thank‑You, Another Is Banned
The article contrasts how Microsoft’s Security Response Center praised researcher april_ivyyy with a CVE assignment while simultaneously deleting Nightmare Eclipse’s MSRC, GitHub, and GitLab accounts and issuing a legal threat, illustrating the divergent outcomes of vulnerability disclosure within the same ecosystem.
One Thank‑You, One Ban
On July 17, security researcher april_ivyyy tweeted gratitude for receiving CVE‑2026‑58532 from Microsoft’s Security Response Center (MSRC), noting the prompt handling, bounty, and public acknowledgment.
At the same time, another researcher known as Nightmare Eclipse (also called Chaotic Eclipse) experienced the opposite fate: MSRC deleted his account, GitHub and GitLab repositories were removed, and Microsoft sent a lawyer’s letter.
Six Weeks, Seven Zero‑Days
Nightmare Eclipse’s conflict with Microsoft began in late March 2026 when he published a blog post titled “I Never Wanted to Do This…”. He later disclosed the BlueHammer vulnerability, a Windows Defender privilege‑escalation bug.
BlueHammer – Windows Defender privilege escalation – CVE‑2026‑33825 – fixed
RedSun – Windows Defender privilege escalation – fixed, exploited in the wild
UnDefend – Defender bypass – fixed, exploited in the wild
YellowKey – BitLocker bypass – fixed
GreenPlasma – Local privilege escalation – not fixed
MiniPlasma – Local privilege escalation – not fixed
RoguePlanet – Defender privilege escalation – fixed
GreatXML – BitLocker bypass – not fixed
BlueHammer, RedSun, and UnDefend have been observed in ransomware campaigns.
Why the Conflict Escalated
Nightmare Eclipse abandoned the industry‑standard coordinated vulnerability disclosure (CVD) process, which gives vendors weeks or months to fix issues before public release. He argued that Microsoft had threatened his livelihood, prompting him to publish remote‑code‑execution exploits.
He also claimed he never received any bounty from Microsoft’s bug‑bounty program.
GitHub and GitLab Bans
In late May, GitHub—owned by Microsoft—banned Nightmare Eclipse’s account, sparking accusations of a conflict of interest. Supporters of Microsoft argued that publishing unpatched exploits is irresponsible, while critics said Microsoft was both judge and player.
After GitHub’s ban, Nightmare Eclipse moved to GitLab, which also suspended his account on May 26, with no public explanation, leading many to suspect pressure from Microsoft.
LegacyHive and the Record‑Breaking Patch Tuesday
On July 14, during Microsoft’s “Patch Tuesday” that fixed a record 622 vulnerabilities, Nightmare Eclipse released a new zero‑day called LegacyHive , a local privilege‑escalation flaw in the Windows user‑profile service (profsvc) that can load another user’s hive, including the administrator’s.
The proof‑of‑concept was a trimmed version requiring additional credentials and targeting only the usrclass.dat hive, which the researcher claimed was to “prevent large‑scale abuse”. However, Huntress warned that similar tools had been weaponized within days of previous disclosures, and that the trimmed version only raised the exploitation barrier slightly.
Broader Implications for the Security Ecosystem
The two parallel timelines illustrate the ideal MSRC workflow—responsible report, quick response, CVE assignment, and public thanks—versus a breakdown where reports are ignored, no bounty is paid, accounts are deleted, and the researcher resorts to public, uncoordinated zero‑day releases.
This situation highlights a systemic tension for Microsoft: it relies on external researchers for vulnerability discovery while lacking mechanisms to prevent escalation when researchers feel mistreated, potentially exposing users to greater risk.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
