Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 14:02:14 GMT

tomsellers@infosec.exchange — Thu, 28 May 2026 14:02:14 GMT

Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable...

Assertion not supported by currently available data. There are plenty of historical examples of vendors which have refused to act on vulnerabilities which impact customers until their arms are twisted via public disclosure.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 12:06:59 GMT

wdormann@infosec.exchange — Thu, 28 May 2026 12:06:59 GMT

@chthonic

Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.

This is not an olive branch. It's a threat.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 10:31:10 GMT

pq1r@tech.lgbt — Thu, 28 May 2026 10:31:10 GMT

@snowride509 @chthonic @wdormann Guidelines mudlines. It's not about that.

Researchers don't have to participate in responsible disclosure. They're not contractually obligated, unless they participate in bug bounties. They can just release their findings whenever they want to.

The only thing stopping most researchers from doing it is a social contract whereby the vendor takes them seriously, fixes the bug in a timely manner, and gives them credit. This has been the model the security industry coalesced around for a while.

Microsoft blatantly broke that social contract, and now they suffer the consequences, and cry crocodile tears about it. You asked for it, Microsoft. FAFO, as the kids these days say.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 05:31:05 GMT

aristot73@infosec.exchange — Thu, 28 May 2026 05:31:05 GMT

@tiraniddo @wdormann more emphasis on "responsibility" here

From Capability to Responsibility: Securing our global digital ecosystem with next‑generation AI

Cybersecurity is at a turning point as AI accelerates vulnerability discovery, requiring safeguards and faster response.

Microsoft On the Issues (blogs.microsoft.com)

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 05:00:12 GMT

0x00string@infosec.exchange — Thu, 28 May 2026 05:00:12 GMT

@wdormann "gone by the wayside" good, they literally made it up to bully researchers.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 04:55:09 GMT

tiraniddo@infosec.exchange — Thu, 28 May 2026 04:55:09 GMT

@wdormann and zero acknowledgement that MiniPlasma shouldn't even exist in any form. Total lack of self awareness.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 01:03:50 GMT

joshbressers@infosec.exchange — Thu, 28 May 2026 01:03:50 GMT

@wdormann we should rename “responsible disclosure” to “Samaritan snare”

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 00:59:35 GMT

snowride509@infosec.exchange — Thu, 28 May 2026 00:59:35 GMT

@chthonic @wdormann This is absolutely not “normal” but it does happen enough for the pattern to show itself…namely the vendor here is making ticky-tack calls to not provide a bounty. Yes, MSRC has public guidelines, but they are often too rigid, IMHO. Whatever bounties were in play, they are cheaper than all the ish that has happened, namely the brand impact to MSFT.

Reply to Microsoft, who banned Nightmare-Eclipse from their GitHub platform, conveys their displeasure with said individual on Thu, 28 May 2026 00:03:30 GMT

chthonic@infosec.exchange — Thu, 28 May 2026 00:03:30 GMT

@wdormann It seems like Microsoft is also extending an olive-branch towards the end where they state they will work with any disclosure reported by whoever, regardless of reputation. From what I gather here it looks like they're laying the DCU threat while trying to keep a door open for negotiation with Nightmare-Eclipse. As a newbie, this is not how it usually goes correct? And there's no way for the public as third parties to verify either sides claims (did Nightmare-Eclipse report and then an agreement was not verified or did they simply not report at all?)