The vulnerability Microsoft fixed from an account it had already deleted

On May 27, Microsoft's Security Response Center published a 1,100-word defense of how it handles the people who find holes in its products. The post is titled "A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure." It says the company works with hundreds of researchers, and that its process "ensures researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise." It names six Windows exploits — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — as vulnerabilities that were not disclosed responsibly, and warns that Microsoft's Digital Crimes Unit will "continue bringing cases against these actors and those that" enable them.

One of those six has a CVE number: CVE-2026-45585, the BitLocker bypass the researcher calls YellowKey. Microsoft published the advisory crediting the finding. According to the researcher, it did so after deleting the Microsoft account they had used to report bugs in the first place. That is the detail worth holding onto, because it sits at the center of everything that followed: an advisory issued for a vulnerability reported through a channel the company says it closed, attributed to a person the company is simultaneously describing as a threat actor. The record does not yet resolve that contradiction. But the contradiction is the story.

Six exploits in six weeks

The person behind the disclosures goes by Nightmare-Eclipse — also Chaotic Eclipse, Dead Eclipse, or just Eclipse. Beginning in early April 2026, they released six Windows zero-day exploits over roughly six weeks, posting working proof-of-concept code to GitHub and GitLab. Both platforms banned the accounts. Threat-intelligence writeups describe a campaign that does not fit the usual categories: no apparent profit motive, no cause, no state sponsor. Researchers who tracked it landed on a simpler explanation — a single person with a grudge.

The exploits are not theoretical. According to a Barracuda analysis published May 19 and reporting by The Register, the technical picture breaks down roughly as follows:

• BlueHammer (CVE-2026-33825) — a Windows Defender privilege-escalation flaw that lifts a standard user to SYSTEM. Patched, but exploited in the wild before the fix landed.
• RedSun — a second route to the same SYSTEM-level escalation through a different vector. Reporting differs on its status; The Register ties it to CVE-2026-41091 and lists it among the exploits attackers have actively used, while Barracuda's writeup describes it as silently addressed without a CVE.
• UnDefend — not an access exploit but an evasion tool, degrading Defender's ability to spot anything new while keeping the endpoint looking healthy. Reported as actively exploited.
• YellowKey (CVE-2026-45585) — a BitLocker bypass aimed at TPM-only configurations, i.e. the default. The threat is to lost, stolen, or confiscated hardware.
• GreenPlasma — described as a partial local privilege-escalation primitive, a building block rather than a finished weapon. No CVE.
• MiniPlasma — a local privilege-escalation that reportedly revives a flaw Microsoft said it fixed in 2020, and that researchers say still works on fully patched Windows 11. No CVE.

Take the disclosures at face value and they are dangerous. Publishing live exploit code for unpatched flaws is not a victimless act of protest; at least three of the six were being used in real attacks soon after the code went public, and the people exposed to those attacks had no part in whatever dispute set this off. One independent analyst, quoted by The Register, put the damage bluntly: a single individual caused more enterprise-level harm in six weeks than most state-backed groups manage in a year. None of what follows changes that. Both things can be true at once — that the method was reckless, and that the grievance behind it is documented.

"They will ruin my life"

Eclipse's account, posted to their own blog and summarized across security trade press, is a list of specific claims. That Microsoft's Security Response Center deleted the account they used to submit vulnerabilities. That they were paid nothing — "zero pennies," in their words — for disclosures they say were legitimate. That the company "humiliated" and insulted them publicly. And, most pointedly, that MSRC personnel told them directly they would ruin their life. "I was told personally by them that they will ruin my life and they did," the researcher wrote. They have since threatened further releases, naming a date — July 14 — and others in the community have teased a Secure Boot and BitLocker bypass dubbed Bitskrieg for sometime in June.

These are allegations, not findings, and they come from a person actively dumping exploits — a person with every reason to frame their own conduct sympathetically. Microsoft has not addressed the specific claims about account deletion or the alleged threat, and the identity behind Eclipse is unverified; the prevailing theory that they are a former insider remains a theory. State only what the record supports: the record supports that the claims were made, in detail, and that they were specific enough to check against other people's experiences. That is where the story stops being about one angry person.

The asymmetry is the point. The company decides what counts as a vulnerability, what earns a CVE, what earns a check, and who gets called responsible — and the researcher finds out the verdict after the work is done. — Sam Brenner

The pattern, with receipts

The reason a lone exploit-dumper detonated a week of headlines is that the grievance was familiar. The complaints that surfaced alongside Eclipse's — reports labeled "does not meet the bar for servicing," no CVE issued, then a quiet fix shipped a month or two later with no acknowledgment and no payment — describe a process other researchers say they have been through. The shape recurs: submit a flaw; receive a rejection or a months-long silence; watch the behavior change in a later build anyway; find no CVE, no bounty, and no credit at the end of it.

There is a cleaner, fully separate example in the record. In April, a researcher named Justin O'Leary reported what he described as a critical privilege-escalation flaw in Azure Backup for AKS, allowing a low-privileged "Backup Contributor" role to reach cluster-admin. According to BleepingComputer, MSRC rejected the report on April 13, characterizing it as a case where the attacker already held administrator access — a description O'Leary disputes. No CVE was issued. O'Leary then documented new permission checks and failed exploit attempts appearing after his disclosure, the fingerprints of a silent patch. Microsoft told BleepingComputer the behavior was expected and that "no product changes were made." The researcher's evidence and the company's statement do not agree.

O'Leary is not Eclipse. He did not dump exploits or threaten anyone; he filed a report and went public with his frustration through ordinary channels. That is what makes his case useful here. It is the same mechanism — rejected report, no CVE, evidence of a quiet fix, a company statement that the record seems to contradict — surfacing in a completely different product, from a completely different person, in the same window of time. One disgruntled researcher is an anecdote. The same complaint, independently, from people with nothing in common but the counterparty, is a pattern.

A fight over one word

Part of this dispute is being waged over vocabulary, and the vocabulary matters more than it looks. When Microsoft softened its public posture on June 2, it quietly dropped the phrase "responsible disclosure" and replaced it with "Coordinated Vulnerability Disclosure." That was not an accident of phrasing. The industry deliberately moved away from "responsible" around 2010 precisely because of what the word implies about everyone who discloses on different terms — that they are being irresponsible.

Katie Moussouris would know. She helped build Microsoft's bug bounty program and pushed the company toward coordinated disclosure in the first place. Writing on Bluesky as the dispute escalated, she flagged the reappearance of "responsible disclosure" as loaded — no vendor reaches for that term, she argued, unless it wants to cast someone as irresponsible. The point is not pedantic. The framing decides who carries the moral weight in the exchange. "Coordinated" describes a process two parties owe each other. "Responsible" assigns the duty, and the blame, to one side: the side that does not control the CVE, the bounty, or the advisory.

The threat, and the retreat

For a few days, Microsoft's answer to the exploit wave included the threat of prosecution. The May 27 post invoked the company's Digital Crimes Unit and its intent to keep "bringing cases against these actors and those that" enable criminal activity, coordinating with law enforcement worldwide. Read against the backdrop of researchers complaining they were never paid or credited, the message landed as a warning to the whole field: disclose on our terms or risk the long arm of a corporate crimes unit. The reaction was swift enough — security researchers, reporters, and former Microsoft people among them — that the company moved.

On June 2, Microsoft issued a markedly softer statement. "We have no intention to pursue action against individuals conducting or publishing their security research," it said, reserving any legal referral for those "engaging in malicious activity that causes harm to customers." It allowed that "some interactions have fallen short" and said it would learn from the feedback. What it did not do was address Eclipse's specific allegations — the deleted account, the unpaid bounties, the alleged threat. The posture changed. The factual disputes underneath it did not.

"Coordinated" describes a duty two parties owe each other. "Responsible" assigns it to the one side that controls neither the CVE, the bounty, nor the advisory. — Sam Brenner

The longer paper trail

None of this began in April. In July 2023, Senator Ron Wyden of Oregon wrote to the Cybersecurity and Infrastructure Security Agency, the Department of Justice, and the Federal Trade Commission, asking each to examine what he called Microsoft's "negligent cybersecurity practices" — the failures that, he argued, had enabled a Chinese espionage campaign against U.S. government email, including the accounts of senior officials, after the theft of a Microsoft signing key. The letter asked DOJ to weigh whether the negligence broke federal law, CISA to examine the handling of the key, and the FTC to consider whether privacy statutes were violated.

That letter contained the number that has followed Microsoft ever since. Citing Google's Project Zero, Wyden wrote that Microsoft products accounted for an aggregate 42.5 percent of all zero-day vulnerabilities discovered since 2014. It is a figure about the breadth of the company's footprint as much as the state of its code — Microsoft software is nearly everywhere, so a large share of discovered flaws will be Microsoft's by default. But it is also the kind of statistic a senator puts in a letter to three federal agencies, and Wyden was not done: in September 2025 he wrote the FTC again, this time over a Kerberoasting weakness he tied to ransomware. The scrutiny is not new, and it is not coming only from anonymous researchers with grudges.

What would actually change it

Strip away the anime avatar and the threats and the theater, and what is left is a question about incentives. A vulnerability disclosure program works only if the party receiving the reports is trusted to grade them honestly — to issue a CVE when a flaw is real, to pay when payment is owed, and to credit the person who did the work. Each of those decisions sits with the vendor. The researcher submits, then waits to learn how their own finding will be classified, by the same company whose product it embarrasses. When that trust holds, coordinated disclosure is the quiet machinery that keeps most flaws off the open internet until they are fixed. When it frays, people stop coordinating.

That is the structural truth under the Eclipse story, and it is why a single bad actor managed to speak for a lot of people who would never dump a zero-day. The fix is not rhetorical. It is a CVE process that does not let a vendor quietly patch a flaw it declined to acknowledge; bounty decisions that can be appealed to someone other than the company that made the call; and an end to silent fixes that erase the evidence a finding ever existed. None of that excuses publishing live exploits that got ordinary users attacked. But the record shows a company that, for years, has been told its disclosure machinery treats the people feeding it as adversaries — and a machine that keeps running the same way. Eclipse is the symptom. The ledger is the disease.