Microsoft strongly supports Coordinated Vulnerability Disclosure (CVD) and urges the research community to share its findings and give affected vendors an opportunity to better understand the impact and take action before the information becomes public.
The development comes after a researcher named Chaotic Eclipse (also known as Nightmare-Eclipse) disclosed details of multiple zero-day vulnerabilities over the past month affecting multiple Windows components, including Defender and BitLocker, citing a mishandling of Microsoft’s vulnerability disclosure process.
“Several zero-day vulnerabilities have been made public in recent weeks,” the tech giant said. “The details of these vulnerabilities were not shared with Microsoft prior to release, and their publication exposed customers to unnecessary risk.”
“In response to the unnecessary risks posed by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates.”
The vulnerabilities include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. After exposure, BlueHammer, RedSun, and UnDefend all became exploitable in the wild.
Microsoft “categorically” opposes such unregulated disclosure, saying that leaving proof-of-concept code for unpatched vulnerabilities could have “real-world implications” if it ends up in the wrong hands.
“We welcome diverse perspectives that help the security community work together to protect everyone. We recognize that we won’t always agree on everything, but we value transparency and will continue to create opportunities for dialogue,” the tech giant added.
“These conversations happen at researcher appreciation events, security conferences, and in the everyday work we do together to understand and address vulnerabilities.”
In the fallout from these revelations, GitHub reportedly deleted the researcher’s account last week. Exploit code for six vulnerabilities was then uploaded to GitLab, but the newly created accounts were subsequently blocked.
“So let me be clear: when I asked you to actively communicate, you refused, shamed me, and invariably humiliated me in front of people,” the researchers said in a post published over the weekend.
“You slandered me publicly with the CVE-2026-45585 advisory, even though I literally deleted the Microsoft account I was using to report bugs, and I didn’t get a dime for it, and yet I was willing to act like a fool. Now, would you politely flag my GitHub account and erase it from public view just like that? You are proving to everyone that you are reporting a bug. [sic] We are actively escalating this conflict, but we are done asking. ”
The researchers also said they intend to release something on July 14, 2026 that “will shatter your bones on that day.”
Source link
