Microsoft building showing public disclosure of zero-day vulnerability

Microsoft Doubles Down on Opposition to Public Disclosure as “Chaotic Eclipse” Wave of Zero-Day Vulnerabilities Continues

An ugly and ongoing feud between Microsoft and a prominent security researcher seems to have resulted in Redmond doubling down on its position in favor of Coordinated Vulnerability Disclosure (CVD) over more immediate public disclosure. The issue has come up as researcher “Chaotic Eclipse,” an established Windows expert, has directly disclosed a string of zero-day vulnerabilities that impact the operating system.

Cyber security researchers have long had criticisms for Microsoft’s policies toward public disclosure, but debate about CVD in particular has come to a head recently as AI threatens to supercharge discovery of zero-day vulnerabilities. Microsoft sits in favor of a traditional 90-day period in which vulnerability discoverers must keep things non-public and work directly with the impacted party as remediation takes place, something that critics say is outmoded when models like Mythos can potentially uncover hundreds of new bugs within minutes.

Release of zero-day vulnerabilities rankles Microsoft, prompting backlash

The specific prompt for Microsoft’s reaffirmation of CVD seems to be the recent string of Windows zero-day vulnerabilities released via direct public disclosure by independent researcher Chaotic Eclipse (also known as Nightmare Eclipse). The researcher disclosed the first of these zero-days, the Microsoft Defender exploit BlueHammer (CVE-2026-33825), in April of this year. They followed this up in about two weeks with the release of two more that target Defender (RedSun and UnDefend), again shortly followed by an additional two (YellowKey and GreenPlasma) that target the BitLocker device encryption feature.

Microsoft has since patched most of these zero-day vulnerabilities, but certain of them took some time to patch and were hammered by threat actors during the interim (and have since been added to the Known Exploited Vulnerability (KEV) catalog). This also triggered a blog post from Microsoft mentioning the incident directly as a factor in its continuing support for its CVD policies.

Chaotic Eclipse, who is anonymous but claims to be a former Microsoft employee, issued a blog post in response that claimed they had tried to contact the company privately before the public disclosure but had their tickets and emails entirely ignored. Microsoft responded by removing the researcher’s GitHub account, which had been hosting the exploits, citing a policy breach for making weaponized code available. This triggered a furious response from Chaotic Eclipse, who threatened to drop even more Windows  zero-day vulnerabilities on the July 14 “Patch Tuesday” that would “shatter the company’s bones.”

John Carberry, Solution Sleuth, Xcape, notes that there are few good answers to be found in the midst of this for organizations simply trying to keep up with their patching: “For enterprise risk leaders, this public spat is a dangerous distraction from the actual operational threat. The moment a researcher publishes full technical details or a working proof-of-concept for core Windows components like Defender, Azure, or Exchange Server, the time-to-exploit window for threat actors drops to zero.”

“Security executives cannot afford to wait around for vendor patches to slowly wind their way through QA and deployment pipelines,“ Carberry notes. “They must establish an aggressive, internal mitigation capability that treats uncoordinated disclosures as immediate, active incidents, forcing them to deploy temporary configuration workarounds and hyper-specific EDR detection rules the moment a flaw hits GitHub, long before the official automated fix arrives on a future Patch Tuesday … The current standoff proves that the traditional model of coordinated vulnerability disclosure is buckling under its own weight, leaving enterprise security teams stuck in the crossfire between impatient researchers and overextended software vendors.”

Public disclosure debate changes focus to emerging AI capability

The back-and-forth over public disclosure policy does have substantial “gray area” and nuance. As Microsoft points out, the zero-day vulnerabilities that Chaotic Eclipse provided a “road map” to threat actors and some were almost immediately put to use in real-world attacks. On the other side of the coin, security researchers have long complained of unresponsive and heavy-handed communications from Microsoft that can almost feel like a punishment for responsibly disclosing to them. There is also the uncertainty of whether offered bug bounties will actually be approved and paid as agreed.

For their part Chaotic Eclipse also says that Microsoft closed their MSRC account, removing their ability to even formally report bugs to the company. The Microsoft blog also described their actions as “criminal,” though it is unclear if they intend to actually follow up with any legal charges against the researcher (a route that prior court decisions have not tended to support). Critics raise questions as to how much all of this has a chilling effect on other researchers even attempting to communicate with Microsoft or examine their products in the first place.

“Microsoft does not remove MSRC researcher portal accounts, which is where anyone can submit a vulnerability to the company. Microsoft cannot confirm which account this person is claiming was deactivated,” according to a Microsoft spokesperson.

Microsoft banned the researcher’s GitHub account on May 23, and GitLab (owned independently but partnered with Microsoft to facilitate integration with its tools) opted to block them out three days later when they attempted to transfer the contents to that platform. Both platforms have previously been known to host demonstrations of zero-day vulnerabilities that are in the public interest. Those moves have rankled some in the cybersecurity community, but the real irritant was the intimation that the company might file civil suits. The Computer Fraud and Abuse Act has long made this possible but recent changes make it more difficult for it to be wielded in this way, and even before that companies did not have a high rate of success in civil suits against researchers that could demonstrate they were acting in good faith.

The matter continues to sit in a gray area as the communications between Eclipse and Microsoft prior to the public disclosure and subsequent blow-up are not available to anyone else. But the incident has revived longtime complaints about dealing with Microsoft’s bug reporting and bug bounty processes, from being asked by automated systems to attach excessive supporting evidence to them skipping the CVE process by labeling a report as “no issue” and then quietly issuing a fix without acknowledgement later. AI being able to detect zero-day vulnerabilities in minutes may well force serious changes to these systems, but for the moment Microsoft appears to be staying the usual course.

As Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs, observes: “The traditional 90 day embargo was designed for a slower world. AI has compressed vulnerability discovery timelines so dramatically that ninety days is enough time for an entirely new frontier model to be deployed and pointed at the same codebase. Microsoft has patched over 500 CVEs in the first five months of 2026 alone. That volume is a signal that product security posture across the ecosystem is weaker than the market assumes. The Nightmare-Eclipse campaign has followed through on every public threat so far, and the warnings of further disclosures should be taken seriously.”