┌──(insider@thread)-[~]
└─$ cat intro.txt

This week, the security world got front‑row seats to Microsoft’s clash with Nightmare Eclipse. This escalating dispute fuels broader questions about trust in the vulnerability reporting process and whether the shared responsibility model can withstand modern disclosure tensions. 

Collating insights from ex-hackers, vulnerability researchers and offensive security professionals, this post examines what this incident reveals about the state of vulnerability disclosure, whether the fallout was inevitable, and which lines may have been crossed. 

Nightmare Eclipse v Microsoft

Security researcher Nightmare Eclipse (Chaotic Eclipse) published several zero‑day Windows exploits on GitHub after claiming Microsoft ignored their vulnerability reports and deleted their MSRC account.

Microsoft still has chains in my hands, it’s been like this for years and I just can’t stay silent anymore. I hope I can release the documents soon.

Reference: Nightmare Eclipse blog post

The researcher was subsequently banned from GitHub (and GitLab) and has since threatened to release additional exploits on 14 July.

Mark this date July 14th, I will make sure your bones are shattered that day.

Microsoft Response:

Microsoft stated that it “firmly opposes” uncoordinated disclosure and warned that releasing proof‑of‑concept code for unpatched vulnerabilities was “never justifiable” have “real‑world consequences”.

The published vulnerabilities RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma have since been seen under active exploitation in the wild.

Bug Bounty and Vulnerability Disclosure

In 2025 Microsoft payed out $17M in bug bounties, the highest total bounty awarded in the program’s history.

Bug bounties are a valuable layer in a modern security program, providing a structured path for responsible disclosure, compensating researchers, and helping organisations identify issues before attackers do.

Bug bounties can be run through platforms like HackerOne or Bugcrowd, while some organisations handle vulnerability disclosure in‑house or outsource it to third‑parties.

AI and vulnerability disclosure

The availability of AI‑assisted vulnerability research is straining the disclosure model. AI‑driven scanning tools have flooded many bug bounties with low‑effort reports, prompting vendors to tighten scope, raise thresholds and reduced bounties.

Reports can outpace both the time and financial capacity of bug‑bounty programs. The trend is already visible in Apple’s bounty categories announced in October 2025, which represented a downgrade in compensation for macOS including TCC bypasses.

But dismissing low‑hanging fruit has drawbacks. Many time constrained researchers use proof of concept submissions to gauge how responsive a program is. Brushing these off not only discourages engagement, it also overlooks the risk of chained low‑severity exploits, where minor flaws can be combined into full compromise.

Bug bounties rely on mutual trust.

Disclosure programs can lean on tactics that erode trust with researchers, for example:

• Lowering bounties

• Poor engagement from vendors

• Drawn out disclosure processes

• Downgrading the impact of a vulnerability

• Retroactively updating bounty scope to exclude a disclosed vulnerability

These can signal that a vendor no longer values the findings, can’t address them, or isn’t willing to pay for it. Researchers may move on to other platforms, and in the worst case, it can push actors out of the responsible disclosure ecosystem.

“Ethical Hacking” Incentives

Many in the security industry call themselves “ethical hackers”, though any job that needs ethical in the title can feel uneasy. Few would be reassured by an “ethical doctor”.

More accurately, offensive security and vulnerability research operate at the intersection of legal constraints, contractual obligations, personal interpretations of the law, and their own moral compass.

Motivation plays a significant role in participation in bug bounty programs. Often there is a blend of incentives such as reputation, financial reward, developing skills or a genuine desire to improve security. But if every “ethical hacker” were driven purely by the latter, perhaps more would sit on vulnerabilities until vendors were ready?

The reality is more complex. Some researchers choose do not disclose, either for their own use (such as in red team engagements) or wait until the vulnerability has found its way into the public domain to reduce damage.

The case for public disclosure

Most security professionals would attest that security by obscurity is no security at all. Bug bounties exist precisely because disclosure pressure is often the only mechanism that forces improvements, particularly in sectors where security is treated as an afterthought.

Vendors like to pretend like responsible disclosure is a moral duty, but really it’s just a courtesy to the vendor, and one they take entirely for granted. The path of least resistance, when it comes to getting a bug fixed, is to just post it publicly. It forces the vendor’s hand, and requires no further effort on the researcher’s part.

Reference: Marcus Hutchins LinkedIn post

Examining Crossed Lines

What lines were crossed in Nightmare Eclipse?

The catalyst appears to be Microsoft deleting the researcher’s MSRC account. While the communications leading up to this are not public, this suggests that Microsoft was no longer willing to engage with the disclosure process.

There are assertions that the actor could have been a former employee. Inside knowledge should always come with additional ethical and contractual obligations.

There’s the escalation, publishing highly destructive zero‑days. Cyberattacks have caused real‑world harm, especially those that disrupt critical national infrastructure and healthcare services. While some may recognise negative disclosure experiences or empathise with the frustration, it drags an already fragile ecosystem into dangerous territory, with pressure mechanics that resemble double‑extortion ransomware.

Finally there’s the threats; of further public disclosures and of pursuing legal consequences, which represents a complete break down of mutual good faith on which a viable disclosure process relies.

Conclusion

The incident is still unfolding and raises important discussions around whether the bug bounty model is still fit for purpose. The sentiment is well summarised by the prophetic insights of dudetechitout from 2025.