Microsoft published a statement in which it stepped back from its aggressive rhetoric in a conflict with security researcher Nightmare Eclipse (also known as Chaos Eclipse), who had previously disclosed exploits for six unpatched Windows vulnerabilities. The company stated that it does not intend to take legal action against professionals engaged in security research. This about-face came after widespread criticism from the professional community, including former Microsoft employees. The situation touches on the fundamental question of how large vendors and independent vulnerability researchers relate to each other.
Timeline of the conflict
The conflict began after Nightmare Eclipse, without prior notification to Microsoft, disclosed information about six unpatched vulnerabilities. Four of them have been assigned CVE identifiers and are registered in the NVD: CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), CVE-2026-45498 (UnDefend) and CVE-2026-45585 (YellowKey). Two more vulnerabilities — GreenPlasma and MiniPlasma — are mentioned without assigned CVEs, and their status remains unconfirmed by independent sources. None of the four CVEs has been added to the CISA Known Exploited Vulnerabilities catalog, but public PoC exploits exist for these vulnerabilities.
At the end of May, Microsoft stated that publishing exploits for unpatched bugs “cannot be justified by anything” and mentioned the Digital Crimes Unit, which investigates cybercrime in cooperation with law enforcement agencies. Although no direct threats were voiced, the security community perceived this as veiled pressure.
Community reaction and Microsoft’s retreat
Microsoft’s stance drew sharp criticism from respected experts. According to the original report, former Microsoft employee Kevin Beaumont called the situation “a catastrophe of Microsoft’s own making.” Florian Roth, head of research at Nextron Systems, pointed out that the company had made a serious mistake by turning the situation into a public confrontation. Katie Moussouris — creator of Microsoft’s bug bounty program and founder of Luta Security — highlighted the contradictory signals from the company: on the one hand, stories about rewards for researchers, on the other — a conflict with a specialist who claims to have received neither recognition nor payment. She described the mention of the Digital Crimes Unit as “a veiled threat.”
As a result, Microsoft was forced to soften its position. The key points of the new statement are:
- The company does not intend to take legal action against people engaged in security research or publishing its results.
- Cooperation with law enforcement is possible only in cases of unlawful activity that causes real harm to customers.
- The company acknowledged that some interactions with researchers “may not have gone as smoothly as they could have” and promised to take the feedback on board.
At the same time, Microsoft did not comment in any way on the researcher’s specific allegations about account blocking and non-payment of rewards.
Escalation: new disclosures
The conflict appears to have had the opposite effect from what Microsoft expected. Nightmare Eclipse reported in his blog that after the company’s public pressure, other researchers began contacting him and sharing information about discovered vulnerabilities. In particular, he announced a vulnerability called Bitskrieg, attributed to researcher JonasLyk, which allegedly breaks Secure Boot protection and allows BitLocker to be bypassed. Technical details are expected in June. It should be emphasized: this information is based solely on the researcher’s personal blog post and has not been confirmed by the vendor or by independent sources.
In parallel, another specialist, Ammar Askar, disclosed information about a 0-day vulnerability in Visual Studio Code just one hour after notifying GitHub developers. According to available information, his motivation was a previous negative experience interacting with MSRC. Although this case is not directly related to Nightmare Eclipse, it illustrates a systemic problem in Microsoft’s relationship with the research community.
Impact assessment and systemic conclusions
The situation goes beyond a one-off conflict and exposes a structural problem. When the largest software vendor loses the trust of researchers, the consequences affect the entire Windows security ecosystem — and therefore corporate and government users around the world. Each disclosure of a vulnerability without prior notification to the vendor creates a window of opportunity for attackers until a patch is released.
The highest risk is borne by organizations that use the affected Windows components, especially if the vulnerability in the Secure Boot / BitLocker chain is confirmed. Bypassing full-disk encryption can have critical consequences for data protection in scenarios involving physical access to a device.
Recommendations
- CVE monitoring: track updates for CVE-2026-33825, CVE-2026-41091, CVE-2026-45498, CVE-2026-45585 in the NVD and watch for CVSS scores to be assigned and for official Microsoft patches to be released.
- Public PoCs: keep in mind that public exploits are available for the listed vulnerabilities. Assess their applicability to your infrastructure before patches are released.
- Bitskrieg: before technical details are published and independently verified, review the current configuration of Secure Boot and BitLocker policies in your environment. Make sure UEFI firmware is updated to the latest versions.
- VS Code extensions: restrict installation of extensions from untrusted sources and keep track of security updates for Visual Studio Code.
This conflict is a clear demonstration of how a vendor’s attempt to suppress an inconvenient researcher can lead to a cascading deterioration of the situation. For organizations using Windows, the practical takeaway is straightforward: without waiting for official patches, inventory systems that may be affected by the four confirmed CVEs and prepare a plan for rapid updating as soon as Microsoft releases fixes. Separately, keep an eye on the June publication of Bitskrieg details — if a BitLocker bypass is confirmed, this will require a reassessment of the data protection model on endpoint devices.
