Two Faces of Microsoft’s MSRC: One Researcher Gets a CVE Thank‑You, Another Is Banned

The article contrasts how Microsoft’s Security Response Center praised researcher april_ivyyy with a CVE assignment while simultaneously deleting Nightmare Eclipse’s MSRC, GitHub, and GitLab accounts and issuing a legal threat, illustrating the divergent outcomes of vulnerability disclosure within the same ecosystem.

Black & White Path
Black & White Path
Black & White Path
Two Faces of Microsoft’s MSRC: One Researcher Gets a CVE Thank‑You, Another Is Banned

One Thank‑You, One Ban

On July 17, security researcher april_ivyyy tweeted gratitude for receiving CVE‑2026‑58532 from Microsoft’s Security Response Center (MSRC), noting the prompt handling, bounty, and public acknowledgment.

At the same time, another researcher known as Nightmare Eclipse (also called Chaotic Eclipse) experienced the opposite fate: MSRC deleted his account, GitHub and GitLab repositories were removed, and Microsoft sent a lawyer’s letter.

Six Weeks, Seven Zero‑Days

Nightmare Eclipse’s conflict with Microsoft began in late March 2026 when he published a blog post titled “I Never Wanted to Do This…”. He later disclosed the BlueHammer vulnerability, a Windows Defender privilege‑escalation bug.

BlueHammer – Windows Defender privilege escalation – CVE‑2026‑33825 – fixed

RedSun – Windows Defender privilege escalation – fixed, exploited in the wild

UnDefend – Defender bypass – fixed, exploited in the wild

YellowKey – BitLocker bypass – fixed

GreenPlasma – Local privilege escalation – not fixed

MiniPlasma – Local privilege escalation – not fixed

RoguePlanet – Defender privilege escalation – fixed

GreatXML – BitLocker bypass – not fixed

BlueHammer, RedSun, and UnDefend have been observed in ransomware campaigns.

Why the Conflict Escalated

Nightmare Eclipse abandoned the industry‑standard coordinated vulnerability disclosure (CVD) process, which gives vendors weeks or months to fix issues before public release. He argued that Microsoft had threatened his livelihood, prompting him to publish remote‑code‑execution exploits.

He also claimed he never received any bounty from Microsoft’s bug‑bounty program.

GitHub and GitLab Bans

In late May, GitHub—owned by Microsoft—banned Nightmare Eclipse’s account, sparking accusations of a conflict of interest. Supporters of Microsoft argued that publishing unpatched exploits is irresponsible, while critics said Microsoft was both judge and player.

After GitHub’s ban, Nightmare Eclipse moved to GitLab, which also suspended his account on May 26, with no public explanation, leading many to suspect pressure from Microsoft.

LegacyHive and the Record‑Breaking Patch Tuesday

On July 14, during Microsoft’s “Patch Tuesday” that fixed a record 622 vulnerabilities, Nightmare Eclipse released a new zero‑day called LegacyHive , a local privilege‑escalation flaw in the Windows user‑profile service (profsvc) that can load another user’s hive, including the administrator’s.

The proof‑of‑concept was a trimmed version requiring additional credentials and targeting only the usrclass.dat hive, which the researcher claimed was to “prevent large‑scale abuse”. However, Huntress warned that similar tools had been weaponized within days of previous disclosures, and that the trimmed version only raised the exploitation barrier slightly.

Broader Implications for the Security Ecosystem

The two parallel timelines illustrate the ideal MSRC workflow—responsible report, quick response, CVE assignment, and public thanks—versus a breakdown where reports are ignored, no bounty is paid, accounts are deleted, and the researcher resorts to public, uncoordinated zero‑day releases.

This situation highlights a systemic tension for Microsoft: it relies on external researchers for vulnerability discovery while lacking mechanisms to prevent escalation when researchers feel mistreated, potentially exposing users to greater risk.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

CVEGitHubWindows securitySecurity researchvulnerability disclosureMSRC
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.