Microsoft Accused of Retaliation After GitHub Bans Security Researcher
The incident highlights a breakdown in coordinated vulnerability disclosure between Microsoft and independent researchers, with the platform-level ban raising questions about whether a company can use its ownership of a code hosting service to silence critics.
Reporting from 1 sources: GIGAZINE.
Security researcher Nightmare-Eclipse claims Microsoft retaliated against them by having their GitHub account suspended after they published multiple Windows zero-day exploits. The researcher, who posted a BitLocker bypass and a Windows Defender privilege escalation exploit in April and May 2026, says Microsoft told them it would "ruin their life" and that their Microsoft account was also deleted. GitHub, which is owned by Microsoft, did not give a specific reason for the ban. Nightmare-Eclipse moved their activity to GitLab, but that account was also banned shortly after. The researcher has threatened to release more information on July 14, 2026, and has named additional vulnerabilities including "UnDefend" (CVE-2026-45498) and "RedSun" (CVE-2026-41091). Microsoft responded on May 27, stating that the vulnerabilities were not shared with the company before public disclosure, which it said does not follow coordinated vulnerability disclosure practices. Microsoft did not address the account suspension or the researcher's claims about account deletion. Security expert William Dorman suggested that Microsoft's bug bounty program may have declined in quality, possibly closing cases when researchers refuse to submit proof-of-concept videos.
Nightmare-Eclipse published the BitLocker bypass exploit in May 2026, showing that an external USB drive could access BitLocker-protected drives without a recovery key. In April they released a Windows Defender privilege escalation exploit. The researcher claims Microsoft stopped responding to their communications and deleted their Microsoft account before the GitHub ban. Tom's Hardware reported that the GitHub account suspension "looks bad" and noted that the code already exists elsewhere, making the ban ineffective for security purposes. Security researcher William Dorman told Tom's Hardware that Microsoft's Security Response Center used to be excellent but may now lack experienced engineers, potentially causing it to close cases when researchers refuse to submit demonstration videos. Microsoft's May 27 blog post named six vulnerabilities-RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma-and said none were shared with the company before public disclosure. The post did not explain the GitHub ban or the alleged Microsoft account deletion. Nightmare-Eclipse has promised a further disclosure on July 14, 2026, and has expressed intent to retaliate against Microsoft.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.