A researcher reported vulnerabilities to Microsoft. Microsoft deleted their account. Paid them nothing. Ignored their requests to communicate. [1]

The researcher released six zero-days with no warning.

Three are now under active exploitation in the wild. Two have no patch. One bypasses BitLocker entirely with a USB stick and a reboot. [2]

Microsoft’s response was to call this “irresponsible disclosure” and invoke its Digital Crimes Unit. [3]

That framing deserves scrutiny.

Coordinated Vulnerability Disclosure is not a legal obligation. It is a social contract. Researchers agree to give vendors time to patch before going public. Vendors agree to engage, compensate, and protect the researchers who do so. When one side stops holding up that contract, the other side is not bound by it.

What the public record shows: a researcher submitted bugs, received no compensation, had their reporting account deleted, asked for communication and was refused, and was publicly named in an advisory the researcher says misrepresented their conduct. Then their GitHub account was removed around May 23. Then their GitLab account was suspended on May 26. [4]

Microsoft’s public statement described the solution as “researcher appreciation events and security conferences.” [3]

That is not an accountability architecture. That is a PR posture.

The downstream consequence of this institutional failure is not theoretical. Three CVEs from this campaign are confirmed exploited in the wild. Two elevation-of-privilege vulnerabilities remain unpatched with no known mitigation. [2] Huntress Labs confirmed active exploitation of BlueHammer, RedSun, and UnDefend as early as April 10, 2026, with threat actors deploying tools under disguised filenames after gaining initial access through compromised VPN credentials. [5]

The researcher has named July 14 as the next release date. July 14 is Patch Tuesday. [6]

That is a calendar-bounded enterprise risk. Organizations running unpatched Windows environments have approximately 45 days to remediate against a threat actor with demonstrated delivery capability, escalating motivation, and a public track record of following through.

The gap here is not a technical one. The technical work was done, by the researcher, for free, reported privately. The gap is that Microsoft has no observable mechanism for handling the breakdown of its own disclosure process. When a contributor relationship fails, the institution’s response is legal threat and platform suppression rather than structural acknowledgment of what went wrong internally.

One systems engineer assessed it directly: one person caused more enterprise-level damage in six weeks than most APT groups cause in a year. [7]

That outcome did not require a nation-state. It required an institution that could not account for a single broken relationship.

The gap is not in the exploit code. The gap is in the governance.

Patch status as of May 29, 2026
BlueHammer (CVE-2026-33825) – Patched
RedSun (CVE-2026-41091) – Patched
UnDefend (CVE-2026-45498) – Patched
YellowKey (CVE-2026-45585) – Unpatched. Exploitation more likely. Working POC confirmed.
GreenPlasma – Unpatched. No known mitigation.
MiniPlasma – Unpatched. Confirmed working on fully patched Windows 11 as of May 2026. [2]

Vordan publishes the Gap Alert when the intelligence warrants it. The Accountability Report publishes every Sunday. The doctrine is Accountable by Design.

Subscribe

Sources

[1] Nightmare-Eclipse, “July 14th,” deadeclipse666.blogspot.com, May 2026. https://deadeclipse666.blogspot.com/2026/05/july-14th.html

[2] Notebookcheck, “Nightmare Eclipse banned from GitHub and GitLab, vows July 14 attack,” May 28, 2026. https://www.notebookcheck.net/Nightmare-Eclipse-banned-from-GitHub-and-GitLab-vows-July-14-attack.1308633.0.html

[3] Microsoft MSRC, “A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure,” May 27, 2026. https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

[4] Cybernews, “GitLab bans rogue researcher releasing Windows zero-days,” May 2026. https://cybernews.com/security/gitlab-bans-rogue-researcher-releasing-windows-zero-days/

[5] Cybersecurity News, “GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban,” May 2026. https://cybersecuritynews.com/windows-exploit-researcher-suspended/

[6] Windows Forum, “Nightmare-Eclipse Windows Zero-Day: GitHub/GitLab Bans, Patch Timeline, and Defender Risk,” May 2026. https://windowsforum.com/threads/nightmare-eclipse-windows-zero-day-github-gitlab-bans-patch-timeline-and-defender-risk.420500/

[7] The Register, “Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump,” May 28, 2026. https://www.theregister.com/security/2026/05/28/microsoft-0-day-feud-escalates-as-researcher-threatens-another-windows-exploit-dump/5248085

Reply

Avatar

or to participate

Keep Reading

© 2026 Vordan.co.
beehiivPowered by beehiiv