## Microsoft Responds to Zero-Day Disclosures **Microsoft** has publicly condemned the release of multiple **Windows** zero-day vulnerabilities by a pseudonymous researcher, Nightmare Eclipse. The company stated that such uncoordinated disclosures are "never justifiable" and hinted at potential legal repercussions for those who enable cybercrime. ### The Zero-Day Releases Beginning in April, Nightmare Eclipse began publishing vulnerabilities with working proof-of-concept code on **GitHub**, making them readily available to both attackers and security professionals. The researcher's **GitHub** account has since been removed, and their blog appears to be offline. Among the disclosed vulnerabilities, **BlueHammer** (**CVE-2026-33825**), **UnDefend** (**CVE-2026-45498**), and **RedSun** (**CVE-2026-41091**) have been exploited in live intrusions, according to **Microsoft**'s advisories. These vulnerabilities are also listed in the U.S. Cybersecurity and Infrastructure Security Agency’s (**CISA**) catalog of known exploited vulnerabilities. Three more recent releases – **YellowKey** (**CVE-2026-45585**), GreenPlasma and MiniPlasma – currently have no patches and no confirmed exploitation. ### Researcher's Motivations The researcher, who remains anonymous, cited grievances against **Microsoft**, alleging that the company deleted their **Microsoft Security Response Center** account, withheld bounty payments, and removed attribution from at least one advisory. The researcher stated, "I could have made some insane cash selling this but no amount of money will stand between me and my determination against **Microsoft**." The researcher has also threatened a further release on July 14, coinciding with **Microsoft**'s Patch Tuesday. ### Microsoft's Response In a blog post, **Microsoft** stated: "We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.” The company added: "Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world." ### Industry Concerns While the researcher's specific complaints remain unverified, other security professionals have voiced similar concerns about **Microsoft**'s handling of vulnerabilities. **Trend Micro**'s Zero Day Initiative publicly criticized **Microsoft** in 2024 for lack of acknowledgment after reporting an actively exploited vulnerability. **Tenable**'s then-CEO published a post accusing **Microsoft** of keeping customers in the dark about an **Azure** vulnerability that remained unpatched for months after disclosure. A **Check Point** researcher also reported that **Microsoft** patched a bug he reported without notifying him. **Katie Moussouris**, founder of Luta Security and the architect of **Microsoft**'s original bug bounty program, noted that while dropping zero-days isn’t ideal, "Non-disclosure is far worse... What drives researchers toward non-disclosure? Threats from vendors." **Microsoft** maintains that it welcomes vulnerability submissions through its public researcher portal, regardless of past interactions or reputation.