THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-007
CYBER · cyber policy · 2026-06-02SCOOP 85

Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as Nightmare-Eclipse feud spreads

Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash.

·FILED ISSUE 2026-06-02·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·
exclusivecorrected · see file

At a glance

  • Microsoft blog (~May 28) called uncoordinated public zero-day disclosures 'never justifiable' and cited Digital Crimes Unit cases; reversal June 1-2, 2026
  • 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse) dumped six Windows zero-days with working PoC code since early April 2026 to now-banned GitHub/GitLab accounts
  • BlueHammer = CVE-2026-33825 (Windows Defender TOCTOU race using oplocks/NTFS junctions to gain SYSTEM); RedSun = CVE-2026-41091 (abusing Defender cloud-file rollback, decoy TieringEngineService.exe)
  • Microsoft patched RedSun and related UnDefend (CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7
  • Researcher alleges deleted reporting accounts, withheld bounties, stripped attribution; threatened fresh drop around July 14 (next Patch Tuesday)

VERDICT — CORRECTED ON THE RECORD

Specific facts were amended by the verification desk on 2026-07-02. See the update log below; the correction is permanent.
Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as
Image via primary source

Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash. Days earlier (a blog post ~May 28) Microsoft had branded uncoordinated public zero-day disclosures 'never justifiable,' implied legal exposure for those enabling cybercrime, and noted its Digital Crimes Unit would keep bringing cases — language widely read as aimed at 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse), a pseudonymous researcher who since early April 2026 dumped six Windows zero-days with working PoC code to now-banned GitHub/GitLab accounts. Several were exploited in the wild: BlueHammer (CVE-2026-33825, a Windows Defender TOCTOU race using oplocks/NTFS junctions to redirect remediation writes and gain SYSTEM) and RedSun (CVE-2026-41091, abusing Defender's cloud-file rollback via oplocks/junction swaps, dropping a decoy TieringEngineService.exe).

Contrary to claims that RedSun stayed unpatched, Microsoft patched it (and the related UnDefend, CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7. The researcher alleges Microsoft deleted reporting accounts, withheld bounties and stripped attribution, and threatened a fresh drop around July 14 (the next Patch Tuesday). In its reversal Microsoft said 'we have no intention to pursue action against individuals conducting or publishing their security research' and conceded some interactions 'have fallen short,' without addressing Nightmare-Eclipse's specific grievances.

The dispute then widened: on June 3, 2026 researcher Ammar Askar disclosed a VS Code/github.dev OAuth-token-theft flaw (abusing a Jupyter Notebook and malicious workspace extension recommendations in .vscode/extensions.json to bypass consent), publishing roughly one hour after notifying a GitHub contact and citing prior MSRC 'silent fix, no credit' treatment. Microsoft said that issue was mitigated with no customer action required.

Update log · verification desk

2026-07-02Item says Nightmare-Eclipse 'threatened fresh drop around July 14 (next Patch Tuesday)'. The cited Record article instead says the researcher announced a new Secure Boot vulnerability would be disclosed 'sometime in June' — not tied to July 14; neither Register article mentions July 14 either. Also, the next Patch Tuesday after the item's June 2 date was June 9, 2026, not July 14. Evidence: https://therecord.media/microsoft-says-it-will-not-pursue-security-researchers-disclosure
2026-07-02Aliases 'Chaotic Eclipse / Dead Eclipse' for Nightmare-Eclipse appear in none of the cited sources nor independent coverage checked (The Register, The Record, Help Net Security, Picus, Barracuda); treat as unsupported. Evidence: https://www.theregister.com/security/2026/06/02/microsoft-reaches-for-olive-branch-after-public-dustup-with-0-day-researcher/5249945

Key facts on file

  • Microsoft blog (~May 28) called uncoordinated public zero-day disclosures 'never justifiable' and cited Digital Crimes Unit cases; reversal June 1-2, 2026
  • 'Nightmare-Eclipse' (aka Chaotic Eclipse / Dead Eclipse) dumped six Windows zero-days with working PoC code since early April 2026 to now-banned GitHub/GitLab accounts
  • BlueHammer = CVE-2026-33825 (Windows Defender TOCTOU race using oplocks/NTFS junctions to gain SYSTEM); RedSun = CVE-2026-41091 (abusing Defender cloud-file rollback, decoy TieringEngineService.exe)
  • Microsoft patched RedSun and related UnDefend (CVE-2026-45498) on/around May 19-20, 2026 in Defender Platform 4.18.26040.7
  • Researcher alleges deleted reporting accounts, withheld bounties, stripped attribution; threatened fresh drop around July 14 (next Patch Tuesday)
  • Microsoft quote: 'we have no intention to pursue action against individuals conducting or publishing their security research'
  • June 3, 2026: Ammar Askar disclosed VS Code/github.dev OAuth-token-theft flaw (Jupyter Notebook + malicious workspace extension recommendations in .vscode/extensions.json), publishing ~1 hour after notifying a GitHub contact; Microsoft said it was mitigated with no customer action required

PRIMARY SOURCE

The Register — Carly Page (2026-06-02)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-007 · filed 2026-06-02 · https://thedwire.com/wire/cyb-2026-06-007-microsoft-reverses-never-justifiable-zero-day-stance-vows.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Google patches 124 Android flaws including actively exploited CVE-2025-48595; CI
CYBER · SCOOP 78

Google patches 124 Android flaws including actively exploited CVE-2025-48595; CISA orders federal fix by June 5

Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the wild. The flaw enables code execution and local privilege escalation with no user interaction, the hallmark signature of

✓ verifiedSOURCE ↗
READ THE FILE ›
Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clea
Generated illustration · not a photograph
CYBER · SCOOP 70

Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clearinghouse' and 30-Day Frontier-Model Reviews

On June 2, 2026, President Trump signed an executive order titled 'Promoting Advanced Artificial Intelligence Innovation and Security,' directing national-security and civilian agencies to increase scrutiny of frontier AI models and to bolster federal cyber defenses against AI-enabled threats. A central provision tasks the Treasury Depart

✓ verified
READ THE FILE ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 60

May 2026 Ransomware: 646 Leak-Site Victims Across 61 Groups; Qilin Leads for Fifth Straight Month

Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries. Qilin topped the rankings with 101 claimed victims, holding the number-one spot for the fifth consecutive month, followed by TheGentlemen (70), Akira (52), DragonForce (41) and INC_RANSOM (

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.