According to Heise, Microsoft has embroiled itself in a seemingly irrational dispute with a security researcher, squandering the remaining trust of the security community. The trigger was the publication of a Windows zero-day vulnerability dubbed “Bluehammer” in early April by a user going by the pseudonym “Nightmare Eclipse.” The accompanying blog post was brief and contained no technical details—instead, the researcher directly addressed Microsoft: “I didn’t bluff, Microsoft, and I will do it again.”
Escalation Account Deletions
In the following weeks, Eclipse published further vulnerabilities named “RedSun,” “UnDefend,” “GreenPlasma,” “YellowKey,” and “MiniPlasma”—a clear signal that the threat was serious. Instead of closing the now-public security holes, Microsoft reacted emotionally: the company had the researcher’s GitHub account deleted, through which the disclosures were made, as well as a GitLab account Eclipse switched to. The account for communication with the Microsoft Security Response Center (MSRC) was also removed.
Loss of Trust in the Security Industry
The case highlights a fundamental problem in dealing with security researchers. Instead of cooperating, Microsoft opts for confrontation—an approach that destroys long-term trust in the community. Security researchers rely on good collaboration with vendors to responsibly report vulnerabilities. But when Microsoft deletes accounts instead of fixing flaws, the company risks that future discoveries will not be reported at all but published directly.
Microsoft’s response raises questions: Why does the company not prioritize fixing the security holes? And how does it plan to regain researchers’ trust? So far, there has been no official statement regarding the account deletions. The “Nightmare Eclipse” case could be a wake-up call for the industry—or another step toward a confrontational culture that ultimately harms everyone.
Source: www.heise.de
