Microsoft has banned security researcher Nightmare-Eclipse from GitHub following a dispute over Windows zero-day exploits. The researcher, who has published multiple critical Windows vulnerabilities, claims Microsoft acted vindictively by refusing communication, deleting their account, and withholding bug bounties. With promises of more exploits to come, this conflict highlights growing tensions between security researchers and corporate security programs.
The ongoing dispute between Microsoft and security researcher Nightmare-Eclipse (also known as Chaotic Eclipse) has escalated significantly with Microsoft's decision to ban the researcher from GitHub, forcing them to migrate to GitLab. This action comes amid allegations that Microsoft has engaged in vindictive behavior following the researcher's publication of multiple Windows zero-day exploits.
The researcher, who has demonstrated considerable technical skill by discovering and publishing six zero-day exploits for Windows, claims Microsoft deleted their Microsoft account used for bug reporting and has refused to engage in communication. "They got zero pennies from doing so," Eclipse stated in a blog post, suggesting that Microsoft's Microsoft Security Response Center (MSRC) program failed to provide the expected financial compensation for the discovered vulnerabilities.
Microsoft's bounty program offers substantial rewards for security vulnerabilities, paying between $30,000 to $100,000 for per-endpoint zero-day exploits, with a top reward of $250,000 for Hyper-V vulnerabilities. Despite these potentially lucrative payouts, Eclipse claims they received no compensation and that Microsoft's actions have caused financial harm.
The technical significance of Eclipse's discovered vulnerabilities cannot be overstated:
- BlueHammer: Exploits Windows Defender to gain SYSTEM user privileges
- RedSun: Achieves SYSTEM access through a different method
- UnDefend: Disables Windows Defender entirely
- GreenPlasma: Leverages the CTFMon service for SYSTEM access
- MiniPlasma: Exploits a flaw in the Windows Cloud Filter driver
- YellowKey: Bypasses BitLocker encryption with minimal effort
These vulnerabilities represent critical failures in Windows security, particularly concerning as BlueHammer, RedSun, and UnDefend have already been confirmed to be under active exploitation in the wild. The publication of proof-of-concept code has made it trivial for malicious actors to weaponize these vulnerabilities.
The dispute began in early 2023 when Eclipse published the BlueHammer zero-day without prior warning. Since then, the relationship has deteriorated significantly, with Eclipse making dramatic statements including that Microsoft "will ruin my life and they did" and promising that "July 14 will bring a reckoning" in the form of additional zero-day exploits.
Industry experts have weighed in on the situation. William Dormann from Tharros commented that "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
This speculation about Microsoft's security team changes raises questions about the company's commitment to robust security research engagement. The MSRC program, once considered a leader in the industry, may be experiencing challenges in maintaining its effectiveness.
Microsoft has remained silent on the specifics of the dispute, leaving the security community to speculate whether the situation stems from an uncooperative researcher who doesn't follow standard disclosure protocols or from a company being difficult about legitimate security reports.
The GitHub ban represents a significant escalation in the conflict and creates poor optics for Microsoft, especially considering that the code is already available on other platforms. In the current threat landscape, where AI-powered security research has arguably made the standard 90-day disclosure-to-patch window obsolete, Microsoft's approach may be counterproductive.
The timing of this dispute is particularly noteworthy. As both time-until-exploit and unused exploits approach zero, software companies must adapt their security policies to the rapidly evolving threat environment. The traditional model of vulnerability reporting and remediation is under pressure from researchers who are increasingly frustrated with what they perceive as inadequate responses and compensation from major tech companies.
For security researchers, the ability to publish and collaborate on platforms like GitHub is essential for professional development and knowledge sharing. Banning researchers from these platforms not only punishes individuals but also potentially hinders the broader security community's ability to learn from and address vulnerabilities.
As the July 14 deadline approaches, all eyes will be on both Microsoft and Eclipse to see if additional zero-day exploits are released, and how Microsoft responds. This dispute serves as a case study in the complex relationship between security researchers and the companies whose products they test, highlighting the need for clearer communication, fair compensation, and mutual respect in the vulnerability disclosure process.
The security community will be watching closely to see if Microsoft can repair its relationship with researchers and demonstrate a renewed commitment to robust security practices, or if this marks the beginning of a more confrontational approach to vulnerability disclosure.
Comments
Please log in or register to join the discussion