0-day researcher threatens ‘bone shattering drop’ after Microsoft calls police

Six zero-days. Three actively exploited in the wild. And a threat of more to come on July 14. The escalating conflict between Microsoft and the security researcher known as Nightmare Eclipse , also called Chaotic Eclipse , has reached a critical flashpoint. The disgruntled bug hunter, who has already released half a dozen Windows zero-days, is now promising a “bone shattering” disclosure event next month.

Microsoft finally broke its silence on the matter with a blog post addressing its stance on (un)coordinated vulnerability disclosure. The post detailed the now-public flaws: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. According to Redmond, none of these vulnerabilities were reported through official channels before being made public.

Attackers wasted no time weaponizing three of the six , BlueHammer, RedSun, and UnDefend , shortly after Nightmare published working proof-of-concept exploit code on GitHub and GitLab accounts, both of which have since been banned. The remaining three flaws , YellowKey, GreenPlasma, and MiniPlasma , remain unpatched. Microsoft has flagged YellowKey (CVE-2026-45585) as “exploitation more likely,” citing an active proof-of-concept.

In its Wednesday blog post, Microsoft took a firm stance against the researcher’s actions. “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” the company wrote. The post also carried what many interpreted as a legal warning: “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity.”

The Register reached out to Microsoft with several questions , including whether it plans to sue Nightmare, whether the researcher is a current or former employee, and whether the company terminated Nightmare’s MSRC account, effectively cutting off their ability to report bugs. Microsoft did not respond.

Nightmare claims that’s exactly what happened. In a recent anti-Microsoft post, they wrote: “When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

The researcher added that Microsoft still holds back certain “chains,” preventing the release of additional “documents” in June. Then came the warning: “Mark this date July 14th, I will make sure your bones are shattered that day.”

Even if nothing materializes on that date, the damage is already done. Systems engineer Muhammad Qasim Shahzad described the fallout on LinkedIn: “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year. The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”

Dustin Childs, head of bug hunting at Zero Day Initiative and a former Microsoft security employee with decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled the situation better. He questioned what drove the relationship to this breaking point. “CVD is a two-way street,” Childs said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”

He also noted that Microsoft could do more to communicate real risk to customers. “What the real risks from these bugs are and how they can defend themselves , that clear direction seems to be missing.”

Katie Moussouris, founder and CEO of Luta Security and the architect of Microsoft’s bug bounty program, described Redmond’s response as sending “mixed messages.” She pointed out that Microsoft’s blog claims its program “ensures researchers are compensated and publicly acknowledged” , a statement that directly contradicts the researcher’s account of receiving neither. “The language choices are also not deescalating,” Moussouris said. “Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.”

According to Moussouris, that phrase “got in the way of coordination” when the two sides disagreed on how best to protect end users. She also noted the mention of the Digital Crimes Unit in a post about vulnerability disclosure “makes the post vaguely threatening, which seems intentional.” Yet Microsoft closes the post by saying it welcomes reports regardless of disclosure history. “No one except the parties involved can know for sure what happened between this researcher and Microsoft,” she added. “Whatever the facts, it’s hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.”

Security researcher Kevin Beaumont, another former Microsoft employee, called the ongoing saga a “dumpster fire of [Microsoft’s] own making.” In his blog, Beaumont noted that Microsoft previously hired SandboxEscaper , a hacker who published zero-day POC exploits for Microsoft products , an action Redmond’s current blog now frames as criminal. “If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court , because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont wrote.

To be clear, neither Beaumont nor the researchers The Register spoke to support Nightmare’s zero-day tactics. Childs called the July 14 threat “troubling,” and Moussouris said the date combined with “incendiary language… doesn’t help organizations trying to make sense of the technical risk.”

Still, Moussouris acknowledged that the researcher’s latest post, taken alongside earlier statements, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher’s grievances are serious and specific.”

Ultimately, Moussouris stressed, “the bugs are Microsoft’s. They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don’t like to see play out, especially since it’s users who lose when coordination negotiations fail.”

While this case is extreme , perhaps the most extreme example of coordinated disclosure gone wrong , it is not an isolated problem. Researchers have voiced frustrations with CVD and Microsoft’s bug disclosure practices for years. “While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”

And with AI-assisted bug reports becoming the norm and vulnerability counts skyrocketing, these types of disputes are likely to increase. “We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.”