Microsoft and a prominent cybersecurity researcher have gotten into a very public and rather personal exchange of unpleasantries about what responsible cybersecurity disclosures should mean in 2026.
A cybersecurity researcher going by the name Nightmare Eclipse, who has disclosed several cybersecurity holes before patches were available, posted that he had tried to contact Microsoft officials and was rebuffed, which led him to publish details about the bugs.
“When I actively asked you [Microsoft] to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot,” the researcher posted, adding that Microsoft has now deleted his GitHub account. “You are proving to everyone that you [are] actively escalating this conflict but I’m done begging you.”
The researcher then made a cryptic threat: “Mark this date July 14th, I will make sure your bones are shattered that day.”
In another post, the researcher was even more direct: “I was told personally by [Microsoft] that they will ruin my life and they did” adding that Microsoft will “do everything but support the research community, I won’t disclose details, but they sabotage people a lot.”
Microsoft responded with its own post saying that some of the vulnerabilities revealed by the researcher “were not responsibly disclosed” and that there was an “unnecessary risk created by these disclosures,” adding, “uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable, and have real-world consequences.”
It was then Microsoft’s turn to get personal, with the veiled implication that the researcher has a bad reputation. “We always have and will continue to welcome vulnerability submissions from anyone through our public researcher portal, regardless of past interactions or reputation,” the post said.
However, one senior Microsoft security executive posted a slightly more upbeat message, suggesting that the company may now have to rethink how it handles cybersecurity bug reports.
“At this time, we are not changing our bug bar or the criteria we use to decide when a fix is required, though we will continue to evaluate as conditions evolve. Severity continues to be grounded in real-world impact and exploitability, drawing on the full set of signals in the Security Update Guide,” wrote Tom Gallagher, VP of engineering at the Microsoft Security Response Center (MSRC).
“We will continue to anchor on a predictable rhythm and a disciplined process, while adapting as needed to the conditions in front of us,” he said. “What we encourage in turn is a thoughtful look at whether the practices that worked well for the patching landscape of a few years ago are still well matched to where the landscape is heading. The fundamentals have not changed. The pace at which they need to be applied is changing.”
CSOonline reached out to both Microsoft and Nightmare Eclipse, and neither provided any clarification or additional comments by publication time.
Frustration on both sides
One of the issues behind the debate over cybersecurity disclosure policies is that many researchers feel that their disclosures are often either ignored or the patch is unreasonably delayed by major vendors, including Microsoft.
Adding to researchers’ frustration is the fact that vendors often do not communicate well about where things stand with a reported security problem.
But vendors have their own complaint: they can’t address every one of the many holes that are reported to them quickly, given finite resources, and they must prioritize what they patch.
A related issue is the belief that major vendors, including Microsoft, will quickly prioritize patches once the hole becomes public; one example was the Microsoft Authenticator flaw, which Microsoft had known about for eight years before fixing it after it was publicized.
Both sides may be right
Consultants and cybersecurity executives said both sides make good points in this instance.
“Microsoft is right that uncoordinated zero‑day drops create real and immediate risk for customers, and researchers are right that vendors sometimes move only when pushed,” said cybersecurity consultant Brian Levine, executive director of FormerGov. “Both truths can exist at the same time.”
And, Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, added, “the cry from the security researcher feels like there is something vindictive going on. If the researcher believes that [Microsoft] acted unethically or illegally and has evidence in that respect, they could raise complaints with the appropriate authorities, rather than write a blog post. I am inclined to believe Microsoft more in this case.”
Gary Longsine, CEO of Intrinsic Security, also pushed back against Nightmare Eclipse, questioning whether they are functioning as an objective security researcher.
“This person might have a legitimate grievance of some sort against Microsoft, however, legitimate security researchers don’t do things this way,” he said. “I don’t do things that cause damage to literally billions of innocent bystanders, as retribution for whatever slight I may perceive. This is an attacker, an adversary, not a security researcher.”
Erosion of trust
In addition, Ishraq Khan, CEO of coding productivity tool vendor Kodezi, said that he is concerned about the emotional elements of the exchange between the researcher and Microsoft, because it is eroding trust, and that erosion is potentially the biggest danger.
“The researcher appears to believe the relationship failed long before the disclosures occurred. Reading the public posts, the recurring theme is not simply vulnerability research, but frustration over communication, trust, and access to the disclosure process,” Khan said. “Whether those claims are accurate or not, the researcher clearly believes private channels stopped working and that escalation was the only remaining option.”
And that erosion of trust, Khan said, is a critical issue, because AI, especially autonomous agents, is going to require far more trust between vendors and researchers.
“The industry is entering a new era of vulnerability discovery. We are seeing increasingly capable AI systems uncover bugs, identify attack paths, and assist researchers in ways that were not possible a few years ago. The volume of discovered vulnerabilities is increasing while the time between discovery and potential exploitation is shrinking,” Khan said. “That changes the dynamics of disclosure. Historically, researchers and vendors were operating on a timeline measured in months. Today, discoveries can spread globally within hours. A breakdown in trust that might have once affected a handful of people can now affect entire ecosystems.”
He added, “the reality is that responsible disclosure only works when both sides believe the system is functioning. Researchers need confidence that findings will be taken seriously. Vendors need confidence that researchers will give them enough time to protect customers. Once either side loses faith in that process, the entire model becomes fragile.”
“What concerns me is that these disputes appear to be becoming more public, more adversarial, and more personal. Once security discussions shift from technical facts to questions of intent, reputation, and motivation, customer protection risks becoming secondary to the conflict itself.”
No Responses