TLDR: REDMOND, Wash.—Microsoft banned security researcher Chaotic Eclipse from GitHub and deleted a reporting account, which Eclipse calls vindictive after unpaid bounties.
Key Takeaways:
- Background centers on MSRC’s reported bug bounty structure, with payouts up to $250,000 for Hyper V, and a longer dispute since BlueHammer in early April.
- The GitHub ban forced Eclipse to move to GitLab, and Eclipse alleges Microsoft deleted the Microsoft account used for reporting Windows zero days.
- Experts say the optics look vindictive without security benefit because exploit code is already out, setting up renewed disclosures and harsher researcher signals.
- Nightmare Eclipse, known for Windows zero days like BlueHammer, RedSun, and UnDefend, says further releases are planned around July 14.
This is one of those fights where both sides think they are protecting security, yet the most visible outcome is harder to trust and easier to exploit. When channels close, researchers do not disappear, they just change platforms and timelines. 😬
This is one of those fights where both sides think they are protecting security, yet the most visible outcome is harder to trust and easier to exploit. When channels close, researchers do not disappear, they just change platforms and timelines. 😬
Q&A
If GitHub bans do not stop exploit code from spreading, what leverage does a company really gain?
Mostly signaling. The practical effect is usually about limiting distribution or collaboration, not preventing access to already published proof of concept code.
Why might MSRC tighten process requirements like video submission, and how could that backfire?
Companies may want reproducible validation before paying. But extra gates can slow reporting, reduce payouts, and push researchers toward public disclosures instead of guided fixes.
What happens to patch urgency when exploit code is published alongside bug bounty disputes?
Patch priorities can shift from negotiated handling to emergency triage because active exploitation in the wild makes timelines unforgiving and reduces room for negotiation.
Could Microsoft have paid or engaged to defuse risk, even if it disputed the disclosure method?
Bug bounty payments can be used as a risk reduction tool. If Microsoft believed the reports were valid, paying or clearly communicating could have reduced incentives to retaliate publicly.
How should vulnerability disclosure evolve as AI-driven discovery compresses time-to-exploit and lowers unused window length?
It likely needs tighter coordination, faster intake, and clearer acceptance criteria so researchers can avoid adversarial public cycles while still getting rapid validation and fixes.
No comments yet. Be the first to share your thoughts!