Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as Nightmare-Eclipse feud spreads
Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash.
At a glance
- Microsoft blog (~May 28) called uncoordinated public zero-day disclosures 'never justifiable' and cited Digital Crimes Unit cases; reversal June 1-2, 2026
- 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse) dumped six Windows zero-days with working PoC code since early April 2026 to now-banned GitHub/GitLab accounts
- BlueHammer = CVE-2026-33825 (Windows Defender TOCTOU race using oplocks/NTFS junctions to gain SYSTEM); RedSun = CVE-2026-41091 (abusing Defender cloud-file rollback, decoy TieringEngineService.exe)
- Microsoft patched RedSun and related UnDefend (CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7
- Researcher alleges deleted reporting accounts, withheld bounties, stripped attribution; threatened fresh drop around July 14 (next Patch Tuesday)
VERDICT — CORRECTED ON THE RECORD
Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash. Days earlier (a blog post ~May 28) Microsoft had branded uncoordinated public zero-day disclosures 'never justifiable,' implied legal exposure for those enabling cybercrime, and noted its Digital Crimes Unit would keep bringing cases — language widely read as aimed at 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse), a pseudonymous researcher who since early April 2026 dumped six Windows zero-days with working PoC code to now-banned GitHub/GitLab accounts. Several were exploited in the wild: BlueHammer (CVE-2026-33825, a Windows Defender TOCTOU race using oplocks/NTFS junctions to redirect remediation writes and gain SYSTEM) and RedSun (CVE-2026-41091, abusing Defender's cloud-file rollback via oplocks/junction swaps, dropping a decoy TieringEngineService.exe).
Contrary to claims that RedSun stayed unpatched, Microsoft patched it (and the related UnDefend, CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7. The researcher alleges Microsoft deleted reporting accounts, withheld bounties and stripped attribution, and threatened a fresh drop around July 14 (the next Patch Tuesday). In its reversal Microsoft said 'we have no intention to pursue action against individuals conducting or publishing their security research' and conceded some interactions 'have fallen short,' without addressing Nightmare-Eclipse's specific grievances.
The dispute then widened: on June 3, 2026 researcher Ammar Askar disclosed a VS Code/github.dev OAuth-token-theft flaw (abusing a Jupyter Notebook and malicious workspace extension recommendations in .vscode/extensions.json to bypass consent), publishing roughly one hour after notifying a GitHub contact and citing prior MSRC 'silent fix, no credit' treatment. Microsoft said that issue was mitigated with no customer action required.
Update log · verification desk
Key facts on file
- Microsoft blog (~May 28) called uncoordinated public zero-day disclosures 'never justifiable' and cited Digital Crimes Unit cases; reversal June 1-2, 2026
- 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse) dumped six Windows zero-days with working PoC code since early April 2026 to now-banned GitHub/GitLab accounts
- BlueHammer = CVE-2026-33825 (Windows Defender TOCTOU race using oplocks/NTFS junctions to gain SYSTEM); RedSun = CVE-2026-41091 (abusing Defender cloud-file rollback, decoy TieringEngineService.exe)
- Microsoft patched RedSun and related UnDefend (CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7
- Researcher alleges deleted reporting accounts, withheld bounties, stripped attribution; threatened fresh drop around July 14 (next Patch Tuesday)
- Microsoft quote: 'we have no intention to pursue action against individuals conducting or publishing their security research'
- June 3, 2026: Ammar Askar disclosed VS Code/github.dev OAuth-token-theft flaw (Jupyter Notebook + malicious workspace extension recommendations in .vscode/extensions.json), publishing ~1 hour after notifying a GitHub contact; Microsoft said it was mitigated with no customer action required

