alt.hn

5/28/2026 at 9:45:54 PM

GitHub bans security researcher who posted zero-day Windows exploits

 https://www.tomshardware.com/tech-industry/cyber-security/microsofts-github-bans-security-researcher-who-posted-zero-day-windows-exploits-because-company-ruined-their-life-expert-claims-action-is-vindictive-and-promises-further-retaliation

by possibilistic

5/29/2026 at 4:56:53 AM

I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.

The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.

Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.

by rukshn

5/29/2026 at 8:02:05 AM

If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party. You can do this wholly anonymously, so you don't have to worry about some trigger-happy corpo ruining your life.

Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.

by Permik

5/29/2026 at 10:22:22 AM

I should have known this exists, yet I didn't. Thanks for pointing it out.

This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...

In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.

by taneliv

5/29/2026 at 11:17:01 AM

Just to play devil's advocate, couldn't sending zero-day exploits to a foreign nation's intelligence service potentially cause the sender significantly more trouble.

by notarobot123

5/29/2026 at 12:11:43 PM

Finland is a NATO country, so for most people on this site you would be sending it to a government agency of an allied nation. Punishing that would make it look like you don't trust your allies

The other angle is that you are obviously doing it in good faith, on the assumption that they will try to work with the vendor to fix and responsibly disclose the vulnerability

by wongarsu

5/29/2026 at 11:32:53 AM

Because... your home country or affected company could consider it espionage? Sounds like a stretch.

by paulryanrogers

5/29/2026 at 11:29:36 AM

Just to play devil's advocate

Why?

by reaperducer

5/29/2026 at 4:12:15 PM

Because information asymmetry benefits those with the information. If the devil understands your argument, and you don't understand the devil's argument, the devil will have information advantage.

by bauldursdev

5/29/2026 at 4:31:36 PM

Not everything in life deserves to have both sides aired.

For example, the Internet giving every crackpot wingnut on Earth an equal voice with scientists is how we end up with measles outbreaks.

by reaperducer

5/29/2026 at 1:05:08 PM

it's a good question

by 0xDEFACED

5/29/2026 at 11:59:26 AM

> If you want to, you can report any vulnerabilities to the Finnish Cyber Security Centre and they'll handle all of the reporting and mediating the issue with the affected party.

The CCC (Chaos Computer Club) in germany will probably do the same.

by entropie

5/29/2026 at 11:25:23 AM

Were you somehow able to intuit that parent is Finnish?

I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.

by firefax

5/29/2026 at 1:14:33 PM

> the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO

Not sure if this is what you mean, the comment is rather confusing to me (Finland was ever neutral? Between which states, surely not EU and Russia as they sit between? Which administration relates to Finland and is unreliable? Why would you need personal contacts to report vulnerabilities to a CERT? Etc), but they weren't rejected for NATO membership: https://en.wikipedia.org/wiki/Finland%E2%80%93NATO_relations opens with

> Finland has been a member of the North Atlantic Treaty Organization (NATO) since 4 April 2023.

by Aachen

5/29/2026 at 1:59:44 PM

That now that they've joined NATO, it's safe to share with them.

A "neutral" country might abuse them.

by firefax

5/29/2026 at 9:15:57 AM

You now have the worst of both worlds.

You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.

All of that without any benefits.

by rvnx

5/29/2026 at 9:23:05 AM

If it's anything like the Dutch or German infosec agencies, "worst of both worlds" is about as far from the truth as you can get. Maybe it works that way in Saudi Arabia but it's not "reporting yourself" here

by Aachen

5/29/2026 at 11:17:30 AM

I wouldn't trust anything like that in Germany, where everything is rules-based. Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period. In Germany there's no common sense applied to the rules. Arguing that you hacked and then reported it responsibly won't reduce your criminal penalty for hacking.

by chadgpt3

5/29/2026 at 1:00:35 PM

> I wouldn't trust anything like that in Germany [...] Hacking is illegal, so if the police find out you hacked and can prove it, they will arrest you and you will be convicted, period.

This is rather hilarious to read as a reply to someone whose day job is literally hacking in Germany. We document it for tax reasons and sometimes are even allowed to publish it, too! Besides paying clients, we also "hack" (read: help secure) projects and blog about the vulnerabilities we've found and what the disclosure timeline was

Clearly this doesn't work as a blanket statement and coordinated vulnerability disclosure is a thing here. I can agree there are caveats but the statements as made aren't accurate

As for dealing with the government, so far as I'm aware, none of us have had bad experiences with the German IT security agency (BSI) whenever a vendor was being uncooperative (healthcare vendors tend to be very, let's say, German about whose responsibility it is when their device sends genital pictures over a network with no encryption or authentication option available in the software)

by Aachen

5/29/2026 at 12:15:22 PM

Apart from a certain general incompetence in IT related topics, common sense is a rather important part of German legal interpretation. Intention, proportionality and such.

There are some infamous counter-examples, but you can find these in any country and it's these that make the news.

by ahartmetz

5/29/2026 at 9:40:59 AM

Is this purely theoretical? Asking since we don’t wanna encourage making the world worse if there is indeed a clever way to stay safe - has anyone been hassled after reporting to the Finnish Cyber Security Centre?

by Barbing

5/29/2026 at 1:26:28 PM

Well I'm a Finn and have reported my findings to the FCSC. Zero hassle. The folks at Traficom are a really nice and smart bunch, I have had chats with them face to face a couple of times. They are very well versed when it comes to potential issues or hassles with disclosing exploits. From what I've seen, everyone at Traficom really just wants to keep internet and information systems safe, and to provide the best support possible for IT professionals regarding cyber/information security.

You can also submit anonymously and/or via secure email: https://www.traficom.fi/en/contact-details/sending-secure-em...

This is what their privacy statement says: “Data breach information, including personal data, can be exchanged confidentially with other authorities relevant to the breach when required or permitted by law. The person who fills out the form is asked if they consent to the transfer of information to another authority."

by Swiffy0

5/29/2026 at 9:43:50 AM

Sir, this is not USA, don't assume stuff fucked up there is fucked up everywhere

by PunchyHamster

5/29/2026 at 10:57:54 AM

It's starting to be so common on the internet, clueless US residents not really grokking things aren't as bad in other places as in the US, that I'm starting to think that maybe this is some sort of psychological defense mechanism? You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...

by embedding-shape

5/29/2026 at 12:33:37 PM

That sounds a lot like the assumption that crime rates are better in less populous areas - just because there is less reporting doesn't mean that it isn't there.

Have you been to the US? If not how can you be certain that the US is truly worse?

by Nasrudith

5/29/2026 at 11:29:52 AM

> You've heard how great and exceptional your country is since you were born, and suddenly evidence is being pointed to that maybe that wasn't so true, so your brain is trying to reason away how clearly this can't be true, you cannot been lied to your entire life...

You are describing cognitive dissonance, I suspect most people do have it about their country (unless they really like history in which case they are aware of the fucked up things their country has done and there is much less dissonance) but the average US citizen is very much an outlier by the standard of western countries.

Even the smart ones who do know history often only know their side of it from their point of view and many of them have very little understanding of the world beyond their borders (because they simply have no need to).

They just seem to blur the border between nationalism and patriotism more than most countries.

by noir_lord

5/29/2026 at 1:54:52 PM

Reporting software vulnerabilites in Germany is the dumbest thing you can do, you WILL be arrested. There is a recent case where some company had a hardcoded database password in their EXE file and if you open it with e.g. Notepad you can see it and this already counts as "illegal hacking". https://www.heise.de/en/news/Federal-Constitutional-Court-re...

by sunaookami

5/29/2026 at 11:37:39 AM

I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.

I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.

I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...

by hennell

5/29/2026 at 8:20:44 AM

Some may criticize regulations, but the EU-mandated cyber-resilience act (CRA) actually forced companies to have a clear contact point for vulnerabilities reporting, and to act upon it.

by harrouet

5/29/2026 at 9:31:29 AM

2026-09-11, save the date folks. That's when all companies selling products with digital elements in the EU have to have a reporting pipeline for actively exploited vulnerabilities and severe incidents.

by hiAndrewQuinn

5/29/2026 at 10:55:24 AM

Easy to remember

by u8080

5/29/2026 at 12:05:14 PM

Silver anniversary for it

by mjmas

5/29/2026 at 11:13:33 AM

[flagged]

by cromka

5/29/2026 at 6:11:35 AM

Do not bother.

I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.

by subscribed

5/29/2026 at 5:52:10 AM

That's really sad to hear, you must have felt really bad. Just because they do not know about the vulnerability, it won't disappear. And they won't fix it too. Ignorance is a bliss, but not in this case...

by p0w3n3d

5/29/2026 at 6:02:40 AM

It should be obvious who the real criminals are in this case.

by SlightlyLeftPad

5/29/2026 at 6:36:26 AM

You could try reporting them (the exploits) anonymously to a government agency

by lionkor

5/29/2026 at 9:27:07 AM

The German "Chaos Computer Club" (hacker club) has a disclosure service. They approach the affected party as the club, hiding the persons identity. Not sure if they do it internationally as the page is in German. But nice idea and not a government agency.

https://www.ccc.de/disclosure

by phartenfeller

5/29/2026 at 12:18:05 PM

They did notify Collins Aerospace in the past, so I assume they do report internationally.

by Lukas_Skywalker

5/29/2026 at 8:56:18 AM

So they can exploit it in secret for their own benefit?

by ranger_danger

5/29/2026 at 1:45:19 PM

If you have so little trust in your government (maybe you're American?) it might be time for change!

by lionkor

5/29/2026 at 9:06:04 PM

Considering Snowden files have shown they intentionally hoard 0days, I don't think it's so much a lack of trust as it is a proven track record of their behavior.

by ranger_danger

5/29/2026 at 2:17:10 PM

No shit. Mind telling us how? Because elections sure aren’t going to do it.

edit: sorry, there is so much of this sentiment, and the system is proven to be rigged. We know that things have gotten bad. Really bad. And there’s little hope of it self-correcting. The corruption is too deep and now seems unabashed. I seriously do want advice on how to change things, but three out of the four boxes meant to preserve liberty have proven to be inadequate. I see no future that doesn’t involve violent upheaval. Convince me otherwise.

by voakbasda

5/29/2026 at 2:01:20 PM

sell them to a vuln or exploit broker. problem solved.

by lofaszvanitt

5/29/2026 at 9:40:49 AM

[flagged]

by avazhi

5/29/2026 at 11:36:37 AM

[flagged]

by Izmaki

5/29/2026 at 5:59:17 AM

[flagged]

by snvzz

5/29/2026 at 12:13:18 AM

No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.

This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.

This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.

[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.

by tptacek

5/29/2026 at 3:56:11 AM

Read the write up on YellowKey. [1] It sounds like, in at least some instances, he's publishing official Microsoft backdoors probably used by US intelligence agencies et al. It turns out that Bitlocker is insecure and backdoored. Something noooobody expected after TrueCrypt just mysteriously and suddenly shut their doors one day, removed all downloads, and recommended everybody move to Microsoft's BitLocker. lol.

[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...

by somenameforme

5/29/2026 at 4:44:56 AM

If you were using bitlocker to replace truecrypt, you'd have a boot password and this would not affect you at all.

I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.

And where's the claimed version that works when a PIN is set?

by Dylan16807

5/29/2026 at 11:00:55 AM

> And where's the claimed version that works when a PIN is set?

Maybe it was on GitHub/GitLab before the author was banned by both Microsoft and GitLab, not really sure we'd know. The authors last post on their blog is from yesterday (28th of May, https://deadeclipse666.blogspot.com/) so seems they aren't fully gone. But yeah, been a lot of "promises" but besides the initial 0days, not so much released AFAIK.

by embedding-shape

5/29/2026 at 7:16:03 AM

It's not a backdoor, Microsoft doesn't need a backdoor to bypass BitLocker because they can sign payloads that'll pass the TPM.

by ChocolateGod

5/29/2026 at 7:41:53 AM

Why would it not be? Microslop doesn't need to make such a backdoor, but it's still a lot more convenient to make one generic backdoor than many signed ones.

by kristjank

5/29/2026 at 8:46:14 AM

They'd only need to make one payload that keeps the TPM happy, unlocks the disk and provides the files for export some way.

Far safer than a backdoor and no evidence.

But the slop in your comment here indicates you're arguing in bad faith.

by ChocolateGod

5/29/2026 at 12:35:02 AM

It all started because the bureaucracy refused to even consider Bluehammer when they couldn't cajole the reporter into providing video footage.

And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.

by halJordan

5/29/2026 at 12:45:29 AM

They're not. These programs make decisions I wouldn't make all the time (though for reasons more complicated than message board discussions capture). I'm making a much narrower claim than you think I am.

by tptacek

5/29/2026 at 2:04:45 AM

They also silently patched RedSun, didn't issue a CVE until much later.

There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.

by thewebguyd

5/29/2026 at 11:19:06 AM

They are probably the NSA backdoors

by chadgpt3

5/29/2026 at 3:43:57 AM

The bug this guy brings up is very obviously a Bitlocker backdoor and raises very serious questions about what Microsoft is doing with the encryption. Pretty certainly they're able to decode the volumes without the user's key, which is extremely concerning.

Looks like they're trying to make it disappear, but it's in the wild now.

by ikidd

5/29/2026 at 3:52:38 AM

It’s a post-boot authentication bypass exploit. Any post-boot authentication bypass exploit against TPM-only sealed BitLocker effectively bypasses it. The user doesn’t have a key to start with in this setup, just the machine.

This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.

by bri3d

5/29/2026 at 4:08:03 AM

I wouldn't be surprised if this was intentionally put in, but I think its important to clarify that the encryption itself wasn't broken, and with this exploit specifically the drive also has to remain inside the original PC/TPM. It's a boot authentication bypass, not an encryption break.

As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.

by thewebguyd

5/29/2026 at 9:07:57 AM

I know someone who works for a nefarious gov org and they never put the bitlocker keys in the TPM on their laptops. You have to enter the password yourself on power up.

Wonder if they knew about this.

by cryo32

5/29/2026 at 12:30:25 PM

You don't need to be thinking of any specific vulnerability to realize that putting the decryption key next to the data you're trying to protect is a dumb idea.

If for example a laptop like that gets lost or stolen, the attacker has the data and the key, in a box they physically hold, with no attempt limit, and unless they actively mess with the boot process, it will happily load the key into memory for them. If it's a discrete TPM the attacker can likely sniff the key on the wire. If that doesn't work, they just need to find a vuln anywhere in the secure boot process, or in Windows, and again, they have the key. And if that doesn't work, they could sniff the memory bus, or do a cold boot attack (again, with unlimited attempts unless they irreparably damage the mainboard/TPM in the process).

by tgsovlerkhgsel

5/29/2026 at 2:37:40 PM

The key is still in the TPM in that scenario it just requires a password to unlock it.

by tatersolid

5/30/2026 at 4:21:12 PM

It's a journal replay attack

by LocalH

5/29/2026 at 12:33:35 AM

To corroborate, working in bug bounty triage, I never saw any evidence of reluctance to pay out.† The worst company-side behavior I observed was asking researchers to "please stay away from X" in their proof-of-concepts and then making higher payouts to researchers who ignored that instruction (because, after all, the demonstrated risk was higher!).

On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.

† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.

by thaumasiotes

5/29/2026 at 5:02:56 PM

It happened many times to me, especially on H1 but also from senior FAANG engineers on their mailing lists. If your job is to pretend all is fine it is easy to discard valid reports.

by bflesch

5/29/2026 at 2:43:11 AM

ooc, would you claim its the responsibility of the security researcher to remove the webshell, or the company's as soon as they were notified? was it publically discoverable and exploitable or was there some form of protection?

by arjvik

5/29/2026 at 2:48:20 AM

I would agree it's the researcher's responsibility. It's not that the company put up a webshell for kicks. The researcher found an exploit (good), and used it to install a webshell, demonstrating the highest possible risk (fine).

Once the shell is up, anyone who finds the URL has code execution on the server, because that's what a webshell is. Using it is a different skill than installing it.

Imagine I figure out how to jackpot your bank's ATMs, and I demonstrate this by setting a public ATM into "press button to receive $20" mode, pressing the button, getting $20, and sending you a letter describing how I did that, with the $20 scrupulously enclosed. Meanwhile, the ATM remains in the state of "press button to receive $20". How happy would you be?

Was it publicly discoverable?

Technically, yes, though realistically you'd have to guess the URL. I would find it pretty funny if one attacker got access somewhere by guessing the URL of a webshell installed by a different, more self-sufficient attacker, but that's not to say it doesn't happen.

Was it publicly exploitable?

Yes; the researcher didn't set up any authentication or anything.

by thaumasiotes

5/29/2026 at 5:15:28 AM

I.. just can't wrap my head around that.

Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.

The shell disappears on step one.

Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?

What is this lunacy?

by lstodd

5/29/2026 at 8:52:40 AM

It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.

by rcxdude

5/29/2026 at 10:53:18 AM

It didn't become any more vulnerable.

This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.

If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

by lstodd

5/29/2026 at 5:53:53 PM

> It didn't become any more vulnerable.

That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.

> If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

Well most people wouldn't, and for good reason.

by Dylan16807

5/29/2026 at 3:15:16 AM

If the URL was unpublished, isn't that the same-ish as password protected?

All about bits of entropy i.e. difficulty if guessing.

by BenjiWiebe

5/29/2026 at 2:55:24 AM

If they were smart after the ban, they'd hire him for mucho dinero. These corporations are nervous but if they're not stupid they pay out. It's Microsoft, so it's perhaps nof the most progressive when it comes to these things, so who knows if they've realized it.

by mancerayder

5/29/2026 at 10:15:11 AM

They are supposedly disgruntled ex microsoft. I dont know if they would accept a payout

by protocolture

5/28/2026 at 11:01:51 PM

I can’t help but feel Microsoft will regret this.

Guy finds zero days and gets no compensation. Instead gets banned.

Guy sells zero days elsewhere.

by bitbasher

5/29/2026 at 12:53:45 AM

But the story is supposedly about him posting the zero-day exploits, not selling them. It’s in the title.

He also got banned from Gitlab, which isn’t related to Microsoft at all.

by Aurornis

5/29/2026 at 1:12:56 AM

Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.

by gchamonlive

5/29/2026 at 2:14:33 AM

Sure, but GitHub and Gitlab aren’t the only two ways to share code on the Internet. The conspiracy theories about two unrelated companies shutting down his git accounts to prevent him from releasing these supposed exploits are reaching pretty deep into conspiracy theory nonsense. The conspiracy theories can’t even agree if he was banned for posting them or because he hadn’t posted them but might post them.

by Aurornis

5/29/2026 at 3:53:46 AM

time to post on IPFS

by yieldcrv

5/29/2026 at 6:04:16 AM

Sadly, IPFS is compromised[0].

0. https://specs.ipfs.tech/ipips/ipip-0383/

by snvzz

5/29/2026 at 4:00:08 PM

What does this mean and compromised in which sense?

by gchamonlive

5/29/2026 at 4:18:20 PM

They’re pointing out a proposal that some nodes can block pins, resulting in censorship

and that censorship at all would compromise the point of IPFS

although I disagree with both of those takes. Nodes always had discretion in IPFS, just pick a different node or pin something yourself which has pretty much always been required. Everyone can route to your pinned files while pinned.

by yieldcrv

5/29/2026 at 5:54:28 PM

Ah! Ok, when I read compromised I thought it was a proposal that introduced a security vulnerability to the tech. Thanks!

by gchamonlive

5/29/2026 at 8:48:48 PM

I can see a situation where Microsoft contacted federal law enforcement to strongarm both GitLab and GitHub. But I believe all megacorps are one giant government conspiracy so consider the source.

by nazgulsenpai

5/30/2026 at 12:03:33 AM

At this point, the government is a megacorp conspiracy.

by thfuran

5/29/2026 at 10:04:59 AM

Is Gitlab also part of this? This is disappointing but unsurprising :(

by gchamonlive

5/29/2026 at 3:49:26 AM

I'm not sure if this is an unintentional mistake. Gitlab did not perform a ban. Github performed the ban. Github is fully-owned by Microsoft.

by linkregister

5/29/2026 at 5:05:50 AM

Yes they did: https://gitlab.com/nightmare-eclipse

That git account was posted on their blogspot...

by moepstar

5/29/2026 at 6:05:31 AM

Awful.

I understand Microsoft's being petty, but why would GitLab do this?

by snvzz

5/29/2026 at 10:46:16 AM

Lawyers?

by tg180

5/29/2026 at 5:05:53 AM

Not one or the other but both. He's banned on GitLab as well.

by input_sh

5/29/2026 at 9:45:52 AM

Well, after they didn't pay him for previous bugs. Not an excuse but certainly a reason.

by PunchyHamster

5/29/2026 at 7:26:44 AM

Are you sure?

by lobito25

5/29/2026 at 12:02:30 AM

Not to mention all the other people who find 0-days. Reputation matters a lot.

by akkartik

5/29/2026 at 12:09:06 AM

Yep, and its a really small world out there.

If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.

by mapontosevenths

5/29/2026 at 3:27:02 AM

Well. Its a bad news for society as whole.

Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.

If you don't feed your army, you will soon feed someone's else's.

by SXX

5/29/2026 at 5:15:49 AM

It's had bad news only for Windows buerocrats. Good orgs don't use Windows.

by rurban

5/29/2026 at 12:13:43 PM

I have now worked for/with a significant percentage of the fortune 500. All used Windows in some capacity.

Is this just your way of saying that only tiny, weird, companies are "good"?

by mapontosevenths

5/29/2026 at 1:29:30 PM

It's saying that those with Windows could be 100x more effective and secure. Wasting billions of money and a lot of time

by rurban

5/29/2026 at 12:36:36 PM

These days corporate security treats these workstations like a dummy terminal. No secrets live on the workstation. You have to re-auth with sso constantly with biometrics and are basically editing data that is in a cloud. So the risk to a corp is minimal where even in the worst case they are insured.

Zero days like this are being disclosed regularly so the idea of securing a windows workstation is tantalizing but you'll never feel satiated trying to drink that water so don't even try.

So yea there's plenty of windows users but we're certainly not hosting anything important on those boxes and would frankly be aghast at the suggestion.

by hparadiz

5/29/2026 at 8:53:34 PM

> These days corporate security treats these workstations like a dummy terminal

Correct, "zero trust" is the buzzword but this is how Microsoft even recommends you set up your endpoint infra. Assume breach, treat every endpoint as if it is currently compromised or could be at any time. Laptops are basically ephemeral, when set up right, and can be wiped and re-imaged within an hour or less.

That's not unique to Windows either, that's how all employee/user endpoints should be managed.

by thewebguyd

5/29/2026 at 12:12:23 AM

Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.

Is it really fiscally responsible to tie your company's future to that?

I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?

by hedora

5/29/2026 at 5:17:51 AM

> Guy sells zero days elsewhere.

No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.

by themafia

5/29/2026 at 1:20:38 PM

Why would they regret it? According to the person who found them, they put those vulnerabilities there for a reason.

by nullbio

5/29/2026 at 6:46:35 AM

In the past recent months i've been dealing with a lot of strange digital responses at various related things. It caused a lot of frustration and i couldn't exactly pinpoint what i was doing wrong. Then i read this sentence in the article:

"But to save money, Microsoft fired the skilled people, leaving flowchart followers."

Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.

by b3lvedere

5/29/2026 at 8:30:20 AM

Most companies providing corporate security consulting I had to deal in the past are operating on a checklist.

by irusensei

5/29/2026 at 7:02:21 AM

A lot of blue collar trades - mechanic/electrician/builder etc following the `flowchart` is the `law` of the land and process is written in blood and liability

Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process

by throwburn202605

5/29/2026 at 12:44:36 PM

These get trained to be able to reason about why the flowchart is the way it is or outright to construct it. If you can't create a flowchart yourself, you shouldn't direct work following it. Following the flowchart is, so that you don't make mistakes on execution, because there will eventually be mistakes, it's not intended that it saves you from knowing what you do in the first place. In other words: you follow a flowchart to prevent accidental deviations from the process. Once you question, what you actually should do, the flowchart is useless as guidance.

by 1718627440

5/29/2026 at 9:31:54 AM

And in other blue collar union environments, following the book is known as "work to rule" and considered a mild form of sabotage/industrial action.

by pjc50

5/29/2026 at 9:26:59 AM

It depends, flowcharts are great for defined processes, but troubleshooting (which vulnerability research mirrors) is not a flowchart or checklist or task list.

by radishingr

5/29/2026 at 2:55:18 PM

It depends what your skill set is - professional engineers are qualified to make the flowcharts and sign off on designs. So it’s not about how you see yourself, it’s whether you have the experience and training to be able to follow actual engineering methodology.

by stephen_g

5/29/2026 at 12:09:11 PM

I am all in favor for extensive logging, documentation and following the processes, especially regarding safety. But there will always be miscommunication and cases where some thinking or adaptation of those processes are required. Stopping that for cost reduction will eventually lead to enshittification.

by b3lvedere

5/28/2026 at 10:54:05 PM

> forcing them to pack up and move shop to GitLab instead.

https://gitlab.com/nightmare-eclipse

Blocked user @nightmare-eclipse

Looks like they’re banned on GitLab as as well?

by jrflowers

5/28/2026 at 10:58:37 PM

I suspect MS threatened them with a SmartScreen blackhole for the domain, I'm not surprised they pulled it.

by parliament32

5/28/2026 at 11:32:48 PM

I don’t like the idea Microsoft can bully other websites into blocking content they don’t like.

by josephg

5/28/2026 at 11:42:24 PM

Do we have any evidence they did that other than the comment you replied to speculating?

by akerl_

5/29/2026 at 12:51:16 AM

Yes they definitely did that. Find evidence to the contrary.

by keepupnow

5/29/2026 at 1:38:07 AM

Is this sarcasm? Or are you saying that the onus of providing proof is not on the those making the claim, but instead that the onus of proof is on those who did not make the claim?

by no-name-here

5/29/2026 at 6:44:52 AM

You don't need to be Sherlock Holmes to draw that conclusion.

by baobabKoodaa

5/29/2026 at 6:09:29 AM

Sure you can provide an alternative explanation?

Otherwise, that's the best we have.

by snvzz

5/29/2026 at 7:41:48 AM

> Sure you can provide an alternative explanation?

In terms of a possible explanation for why GitLab would take an action, was it considered whether the (disturbed?) user violated GitLab's Terms of Service? Is the assumption that GitLab didn't just enforce their ToS, but that they're instead more likely to be secretly acquiescing to backroom bullying between companies over specific users?

by no-name-here

5/29/2026 at 11:13:12 AM

It seems clear that the Bitbucket devs paid bribes to Gitlab to ban this user to drum up anti-GitHub sentiment.

by akerl_

5/29/2026 at 1:04:33 AM

Are there any copies of what he supposedly posted? I have a hard time believing someone posted groundbreaking exploits to two separate Git websites and not a single person cloned them.

I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.

by Aurornis

5/29/2026 at 1:38:56 AM

Forks are still alive on github, so it seems unlikely microsoft did this to suppress the code. Unless they are wildly incompetent, which I don't want to outright reject as a possibility.

https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre

Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.

by jwitthuhn

5/28/2026 at 11:24:40 PM

Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?

by embedding-shape

5/28/2026 at 11:30:52 PM

Well if it’s a full disk encryption exploit that still requires hardware access I imagine it would have been made for a 3-letter govt org or something

by amusingimpala75

5/29/2026 at 6:06:38 AM

FDE is meant to protect data at rest.

Hardware access is a given.

by snvzz

5/29/2026 at 12:37:50 AM

The fde encryption exploit is only for volumes that auto decrypt anyway. So it's a know (accepted) that the model doesn't really try to avoid.

You guys need to stop reaching for conspiracy

by halJordan

5/29/2026 at 12:51:03 AM

Which is all of them that don't require a pin (rare).

by throwaway85825

5/29/2026 at 7:58:35 PM

[dead]

by notawhitemale

5/29/2026 at 12:11:37 AM

[flagged]

by mapontosevenths

5/29/2026 at 12:27:31 AM

Usually, when intentional backdoors like that get found and fixed, the 'someone else' stays silent. Otherwise, they provide proof that they've been planting backdoors, and that's much worse than having a hole plugged.

To get an idea of how this stuff usually works, start with the Simple Sabotage field manual:

https://ia601309.us.archive.org/14/items/Simplesabotage/Simp...

by hedora

5/29/2026 at 1:02:14 AM

If a government agency wanted to sweep this under the rug, don’t you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?

I think it’s more likely that the guy is just being as abusive to these services as the quotes in the article where he’s talking about crushing their bones

by Aurornis

5/29/2026 at 4:14:31 AM

>you think they’d just pay the bounties for the guy instead of giving him more ammunition for his crusade?

It seldom pays to presume competence.

by mapontosevenths

5/29/2026 at 3:06:23 AM

I'm not a BitLocker user or expert, but I thought I'd read that if you used a BitLocker PIN, the exploit didn't work. If the gov't asked MSFT to deploy an exploit, wouldn't they make it work PINlessly?

by bananamogul

5/29/2026 at 3:50:37 AM

The hacker claims it can bypass PINs as well, but AFAIK hasn't posted poc

by stackghost

5/29/2026 at 7:28:54 AM

There's zero proof it's an intentional backdoor, it's just FUD spread by the exploit author which is probably not helping his case and may be reason for his ban.

Microsoft doesn't need to put in a backdoor on disk because they can make payloads that'll pass the TPM and not need a single trace on the disk.

by ChocolateGod

5/28/2026 at 11:01:50 PM

Shoot the messenger. That’ll fix it.

by __d

5/29/2026 at 10:37:00 AM

Maybe they want to incentivise selling exploits to nation states, not patching them?

by subscribed

5/29/2026 at 10:28:28 AM

This situation highlights the inherent conflict of interest in Microsoft owning GitHub. While GitHub has clear terms of service regarding the hosting of active, weaponized exploits, the optics of banning a researcher who specifically targeted Windows are always going to look vindictive, regardless of the justification.

by sspoisk

5/29/2026 at 12:09:36 AM

Has Microsoft just created an editorial responsibility for itself to remove zero days from GitHub?

If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?

by JumpCrisscross

5/29/2026 at 1:48:27 AM

Why would taking this action have any implication for responsibility to take future actions against other accounts?

by akerl_

5/29/2026 at 2:01:31 AM

Legally? I don’t know.

More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.

by JumpCrisscross

5/29/2026 at 2:04:09 AM

Outside of legally, I’m not aware of any framework where “creates an editorial responsibly” makes sense.

Even beyond that… most business relationships wouldn’t involve an expectation that Microsoft does things for other entities that it does for itself.

by akerl_

5/29/2026 at 2:12:59 AM

I’m thinking of § 230 of the CDA [1], where the line between publisher/speaker and not can come down to editorial discretion.

[1] https://en.wikipedia.org/wiki/Section_230

by JumpCrisscross

5/29/2026 at 2:24:28 AM

It can’t, and it doesn’t.

Section 230 has no concern with publishers making editorial decisions. GitHub can moderate user content on its site however it wants.

by akerl_

5/29/2026 at 6:58:12 AM

Per your source:

1. Section 230 was largely enacted in 1996 to solve the 1995 ruling that "because Prodigy had taken an editorial role with regard to customer content, it was a publisher and was legally responsible for libel committed by its customers" (i.e. one of the biggest purposes of section 230 was to allow companies to make editorial decisions without causing them to become legally liable as a result).

2. The law was "designed to override the decision…, so that a service provider could moderate content as necessary and would not have to act as a wholly neutral conduit."

3. However, Trump has challenged that, including with Executive Orders, although I don't think Trump's rationale is well thought through, including because he explicitly complained that his posts like "Any difficulty and we will assume control but, when the looting starts, the shooting starts" being taken down was a specific example of why 230 should be revoked.

4. And some think the opposite as well, such as Democratic leaders who "believed that Section 230 led the companies to fail to take any preemptive action against the people who had planned and executed the Capitol riots" for example.

EFF's take on 230 ( https://www.eff.org/issues/cda230 ) includes:

> Section 230 allows for web operators, large and small, to moderate user speech and content as they see fit. This reinforces the First Amendment’s protections for publishers to decide what content they will distribute. Different approaches to moderating users’ speech allows users to find the places online that they like, and avoid places they don’t.

by no-name-here

5/28/2026 at 11:35:09 PM

What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?

Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.

by zuzululu

5/29/2026 at 12:24:06 AM

It sounds like they're pissed because they produced a large number of high-value exploits, sent them to MS, were treated like crap, and then MS refused to honor their own published bounties:

> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."

If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.

Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).

Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.

If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

by hedora

5/29/2026 at 1:34:42 AM

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.

by selcuka

5/29/2026 at 12:49:10 AM

> and the response was flow chart tech support with a "buy a webcam" cherry on top

I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.

by thaumasiotes

5/29/2026 at 1:39:11 AM

Which, if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera

Doesn't sound like it for these exploits specifically (except Yellow Key), but I could be wrong, and again: that's just for these exploits specifically

by xethos

5/29/2026 at 9:17:44 PM

I've used cheap HDMI to USB adapters for that in the past. Worked fine albeit somewhat low res. (Still much better than a camera pointed at a screen.)

by tosti

5/29/2026 at 2:40:51 AM

> (USB or other HID, key combination)

I don't think you'd need an external camera for that. What you're doing would be mentioned in the accompanying report.

I do agree with you about the boot process, though.

by thaumasiotes

5/29/2026 at 6:35:01 AM

I believe Hyper-V supports emulating TPM these days, so doing things to a VM and recording the desktop with the VM window _may_ work. In this case though it'd look very boring because you couldn't tell from the recording that anything happened.

by mook

5/29/2026 at 6:12:27 PM

Personally I'd think Microsoft would be cool with following the report instead of demanding video evidence in the first place, but silly me thinking the trillion dollar multi-national would be reasonable

by xethos

5/29/2026 at 6:28:16 AM

>>> flow chart tech support with a "buy a webcam" cherry on top

>> I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.

> if any of the exploits require anything that isn't on-screen (USB or other HID, key combination), requires a reboot, or anything done before Windows has fully booted, means one must have an external camera

That still wouldn't mean "buy a webcam" - if someone has had a mobile phone (smartphone or dumbphone) from recent decades, it likely had a camera included.

by no-name-here

5/29/2026 at 9:40:13 AM

It feels like they’re trying put hurdles in front of you instead of getting info about repeatability of the vulnerability.

by itopaloglu83

5/29/2026 at 12:38:33 AM

> If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.

selling to the highest bidder doesn’t generate headlines though.

by sgjohnson

5/29/2026 at 11:24:58 AM

Oh it does, but they don't say "Researcher sells exploits to the highest bidder", they say "Handala group shuts down nuclear power plant"

by chadgpt3

5/28/2026 at 11:56:23 PM

The researcher's own statements note that the zero days were not found with AI.

And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.

by technion

5/29/2026 at 12:00:27 AM

> They seem to have a personal vendetta against Microsoft

Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...

I might be projecting.

by beej71

5/29/2026 at 12:17:50 AM

What were the "so many better options" during that period? Have we found the only remaining CP/M fan?

by antonvs

5/30/2026 at 3:14:42 PM

OS/2 and DR-DOS are a couple examples. But what really gets me is the whole Xenix thing.

CP/M was great on Z80 systems. But a 386 was capable of so much more.

by beej71

5/29/2026 at 12:21:25 AM

a bit later, but not much: OS/2

by em-bee

5/29/2026 at 2:35:15 AM

The fizzling of OS/2 was as much IBM's fault as anything. If they'd paid more attention to it sooner, MS might never have shipped Windows; they'd just have made their office applications OS/2 GUI programs. But IBM was too fixated on its mainframes to realize that they were giving away the PC market to MS (again--they did it the first time by licensing DOS to MS).

by pdonis

5/29/2026 at 3:06:34 AM

Before Facebook, I used Friendster. Years later, I read how Friendster execs were too busy patting themselves on the back and flying around on private jets to get around to fixing the horrendous site lag of sometimes a minute to even sign into the web app. How could a company's leadership be so foolish? I understood this paled in comparison to the doomed arrogance of IBM's leaders when I read stories about IBM's downfall in the delightful book In Search of Stupidity: Over 20 Years of High-Tech Marketing Disasters.

by stephenhuey

5/30/2026 at 3:20:28 PM

Wait, did IBM license DOS to Microsoft? I thought IBM was looking for an operating system for the PC and approached Kildall about CP/M. That deal fell through, so they approached Microsoft. Gates didn't have anything, so he licensed QDOS for a song and licensed it to IBM.

by beej71

5/31/2026 at 2:45:56 AM

I was being somewhat sloppy. IBM bought DOS from Microsoft for the IBM PC--but neglected to buy exclusive rights to it, so Microsoft could and did sell it on its own as MS-DOS. (And later, other vendors began selling their own versions.) For PC users, this was a great deal, since it effectively made the IBM PC an open standard. But it meant that IBM captured much less value from DOS and PCs than Microsoft did.

by pdonis

5/29/2026 at 12:13:21 AM

I was forced to use ms basic on my c64. Never forgive, never forget.

by lstodd

5/29/2026 at 1:46:01 AM

I always found it weird to ship a BASIC interpreter that didn't have specialised commands (unless you count POKE) to access the graphics and sound capabilities of a computer like the C64. Some computers of the same era had vastly superior BASICs (such as Sinclair BASIC).

by selcuka

5/29/2026 at 3:21:54 AM

OTOH, I learned a hell of a lot about microprocessor internals by using POKE.

by nonfamous

5/29/2026 at 2:14:02 AM

I agree, it seems very low-effort on Commodore's part to license this lowest-common-denominator BASIC with no support for graphics and sound other than POKE. Super lame, but they got away with it.

by chihuahua

5/29/2026 at 2:43:22 PM

No they didn’t. If they had, I would be typing this on my Commodore phone.

by voakbasda

5/29/2026 at 12:32:06 AM

We're witnessing the industrialization of intelligence.

by soulofmischief

5/29/2026 at 1:40:18 AM

Very important info: https://www.theregister.com/security/2026/05/28/microsoft-0-...

In the linked Microsoft blog post, they say :

> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.

So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?

It's a very weird situation

by LelouBil

5/29/2026 at 2:25:23 AM

> the disclosures put our customers at unnecessary risk.

That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.

by thewebguyd

5/29/2026 at 3:02:53 AM

The industry, on average, approves of responsible disclosure because there's a tacit agreement that making risk-proof software isn't feasible. Though admittedly some companies don't seem to be trying very hard anymore.

It's not a dichotomy either, they can both have put the customers at risk.

by Cpoll

5/29/2026 at 3:47:00 AM

Especially since the only explanation for why this exists is as a backdoor.

by ikidd

5/29/2026 at 11:24:22 AM

Yeah, but the customer in this statement being entities that requested this backdoor. Not the people/companies who paid for the licences.

by subscribed

5/29/2026 at 11:28:28 AM

>Why would Nightmare-Eclipse not report them if they are not ?

Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

by firefax

5/30/2026 at 12:54:10 AM

>Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

Whoever silently downvoted this, I'd love to hear why you so strongly disagree with my assessment.

by firefax

5/29/2026 at 8:00:13 PM

[dead]

by notawhitemale

5/29/2026 at 1:28:39 PM

Lots of copies of the Windows source code still on GitHub, which is problematic if you're interested in NT and want to contribute to Wine or something...hard to avoid running into restricted code

by ptrl600

5/28/2026 at 11:51:08 PM

Amidst abysmal uptime, Ghostty leaving and now this, GitHub is accelerating their own downfall.

by jasonvorhe

5/28/2026 at 10:56:42 PM

Researcher seems a bit unhinged.

by cortesoft

5/29/2026 at 12:04:52 AM

This often seems to be the case for the most expert researchers, all a bit quirky. Anyone remember SandboxEscaper? I think they are deceased now but they were dropping Windows 0 days left and right. That person was quite a character. It's hard to describe it without potentially incurring the wrath of someone here but those who know, know.

by Rotdhizon

5/29/2026 at 8:47:31 AM

SandboxEscaper and Nightmare Eclipse both explicitly deny this, but I'm pretty sure they're the same person.

The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story

SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com

OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459

The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.

by l23k4

5/29/2026 at 4:03:24 AM 

  > most expert researchers, all a bit quirky.
Is it a surprise that if you think differently you act differently? You have to think differently to become an expert. If you thought the same (as the "average") you'd, by definition, be "average".

by godelski

5/29/2026 at 12:16:10 AM

SandboxEscaper is still alive, but yeah, Eclipse's prolific vuln dropping reminds me of her.

by lynndotpy

5/29/2026 at 1:44:52 AM

[dead]

by huflungdung

5/29/2026 at 12:34:27 AM

Passed away? What evidence do you have around that statement?

by hypercube33

5/28/2026 at 10:57:34 PM

That may go with the task of looking for low-level security holes.

by Animats

5/28/2026 at 11:18:25 PM

Or being forced into homelessness by Microsoft

by xeonmc

5/28/2026 at 11:33:54 PM

Takes a certain kind of crazy to pay your bills with bug bounties.

by ryukoposting

5/28/2026 at 11:50:55 PM

sanity isn't his job

by stainablesteel

5/29/2026 at 1:17:04 AM

ahh, the "what was she wearing" comment.

by _karie_

5/29/2026 at 1:25:58 AM

ahh, the false analogy comment.

by eddythompson80

5/29/2026 at 2:06:18 AM

“False analogy” isn’t a counterpoint, it's a deflection. What part of the mapping breaks for you?

by _karie_

5/29/2026 at 2:23:38 AM

False analogy isn’t a deflection, it’s a logical fallacy.

by eddythompson80

5/29/2026 at 2:36:28 AM

Because you don't agree doesn't make the legitimate callout (i.e., victim-blaming “what were you wearing” vs. calling someone “unhinged” after they've endured repeated abuse/stress) a logical fallacy. Rather it positions you in opposition.

Everything you disagree with isn't incorrect.

by _karie_

5/29/2026 at 4:10:46 AM

I don't really see any evidence of abuse in this post, though. It doesn't really say what Microsoft did, other than ban them from github after they said they will "make Microsoft's bones shatter".

It reads to me like Microsoft didn't pay him what he thought he earned from the exploits (i have no idea who is in the right on that), and then he published a zero day with no notification and threatened the company. Doesn't seem ridiculous to ban them at that point.

Again, I don't know the details so I cant say who is in the right, but the researcher comes off as a little bit unhinged and entitled. Not paying a bug bounty is 'ruining my life'?

by cortesoft

5/30/2026 at 5:44:20 AM

> Again, I don't know the details so I cant say who is in the right

You are unsure of the details, so you instinctively choose to align with the $3T corporation. Further you assert the responsible discloser is "unhinged" for having a reaction to sustained abusive behavior by that $3T corporation.

Who exactly is unhinged here: the person who had a human reaction to abuse, or the person who thinks they are social in-group status with Microsoft? My vote is on the latter.

by _karie_

5/30/2026 at 6:52:25 AM

now, that should teach him to sell those on black marked instead

I'm mostly joking here, but Microsoft is one of few companies that handle cyber security in a way that really incentive people to not report them.

it's either by downplaying impact and not paying or paying very little or doing other researcher hostile activities.

especially that someone here mentioned some time ago that black market pays about 3x for the same class of vulnerability, so you need fairly high moral standards to go direct way

by Szpadel

5/29/2026 at 10:27:03 AM

One should just exploit it next time :D

by StatelessAnton

5/29/2026 at 12:51:59 AM

A perfect storm of GitHub's own self-destruction and downfall all done by themselves.

Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.

This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.

by rvz

5/28/2026 at 10:58:48 PM

Surely, the public string of exploits means he can find gainful employment from any of the various spooks?

by 0cf8612b2e1e

5/29/2026 at 12:04:44 AM

I know quite a few extremely skilled people who aren't employed in a technical field. Usually it's some combination of not working well with others, lack of formal credentials and the means to acquire them, or a criminal record. Government work also means you have to be morally okay with what the government does (or willfully ignorant), able to pass a background check, and be willing to go through the security clearance process.

by ndiddy

5/29/2026 at 12:54:10 AM

People with skills/means don't want to live in the cheap city/suburb where they have offices. Work from home obviously isn't a thing.

by throwaway85825

5/29/2026 at 3:56:28 AM

Government work also usually means relocating. The money wouldn't be good enough for me to uproot my family.

by stackghost

5/29/2026 at 1:03:26 AM

"People with skills" just don't care for corporate or government bullshit. You may know them as "not being employed in a technical field", but it's just because you got filtered out.

by lstodd

5/28/2026 at 11:08:28 PM

The optics don't look good for Microsoft, but we don't know their side of the story.

by MiscIdeaMaker99

5/28/2026 at 11:21:55 PM

It doesnt really matter. Banning someone GitHub account change literally nothing and its another proof Microsoft is not to be trusted as steward of open source platform.

by SXX

5/29/2026 at 12:56:42 AM

Worse, cant be trusted to have secure products.

by throwaway85825

5/29/2026 at 2:11:49 AM

They lost the trust of having secure products a long time ago. Windows is directly responsible for the rash of varying quality EDR & other "security software" for endpoints.

I mean it took them until Windows 10 to move font rendering out of Ring 0, you could run malicious code in kernel space from a freaking font on a web page at one point.

by thewebguyd

5/29/2026 at 7:54:51 AM

We need to move to IPFS or something federated for source code

by frobisher

5/29/2026 at 9:47:29 AM

Hosting it yourself is trivial and cheap. Git is not heavy protocol, nor git over https

by PunchyHamster

5/29/2026 at 12:52:02 AM

User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.

I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.

What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?

Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.

by Aurornis

5/29/2026 at 1:50:14 AM

Before we go down the road of analyzing someone's reaction, we should first analyze what they're reacting to: How much money did microsoft bilk this person out of? What is a reasonable reaction to someone taking that much money out of your paycheck?

by ImPostingOnHN

5/29/2026 at 11:30:34 AM

Also, as a practical matter, maybe do as someone says if they have this many zero days sitting around?

While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.

Maybe don't piss off your betters?

by firefax

5/29/2026 at 1:29:20 PM

Microsoft owns Github and Windows, makes sense. "Security researchers" love attention however, and I'm going to guess this one knew it would happen and is now making hay on the fact that it did. Now let me roll out the tired authoritarian excuses to wrap up the thread.

>It's a private company. They can do what they want.

>Freedom of speech isn't freedom from consequences.

>Build your own github.

Did I miss any?

by panny

5/29/2026 at 5:38:23 AM

The combination of an overly unstable dramatic researcher, a tech news community which will undermine truth in a desperate plead for some clicks and people that are readily willing to believe everyone is constantly just casually in contact with the NSA, gives us these third rate stories

by breppp

5/28/2026 at 11:18:14 PM

Also recently:

Satya Nadella says as much as 30% of Microslop code is written by AI:

https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...

by SXX

5/29/2026 at 1:13:12 AM

If they're using the "write lots of mediocore code faster" approach to AI and not the "write better code more slowly" approach, this is a security nightmare.

by aussieguy1234

5/29/2026 at 8:12:54 AM

"Write better code more slowly" is just regular software development, without the LLM.

by tovej

5/28/2026 at 11:53:38 PM

“Recently” this was a year ago - it’s probably more like 95% now

by throwatdem12311

5/28/2026 at 11:53:47 PM

I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.

by SpicyLemonZest

5/29/2026 at 12:16:44 AM

> I think you're going down a bad route when you start inserting gratuitous insults into your summaries of what other people said.

I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.

Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.

by simoncion

5/29/2026 at 2:58:57 AM

Transforming 'Micro$oft's' name as a form of commentary is a time-honored tradition.

by Cpoll

5/29/2026 at 12:16:16 AM

I disagree with policing someone elses language like this in the first place, but it's only one insult and it's just "Microslop".

by lynndotpy

5/29/2026 at 12:37:06 AM

I don't think you should insert any number of insults into summaries of what other people said. It serves no purpose other than degrading the quality of discussion. If someone posted this comment:

> Satya Nadella says as much as 30% of Microsoft code is written by AI. More like Microslop, haha!

we'd all recognize that the last sentence is pointless name-calling (and thus violates the HN guidelines). But by interleaving the insult, it's easy to trick oneself into thinking that it's meaningful commentary. The quality of HN as a discussion forum requires holding ourselves to a higher standard than that.

by SpicyLemonZest

5/29/2026 at 12:48:59 AM

It isn't name calling its a fact. Their software was and now increasingly F grade quality. Microslop.

by keepupnow

5/29/2026 at 3:18:12 AM

Ooops. Just copilot-made mistake of 30% comment that been AI generated. Kidding.

Actually I was a reference of Microsoft banning people on their Discord.

Because out of top "evil corps" Microsoft seem to have worst PR department.

by SXX

5/31/2026 at 10:42:46 AM

And now we know a large reason why Microsoft purchased GitHub.

by qsxfthnkp2322

5/29/2026 at 11:04:41 AM

Just create a new account :D

by sscaryterry

5/29/2026 at 12:58:11 AM

Looks like Microslop will have a happy Bastille day. Getting popcorn.

by bnagh

5/29/2026 at 5:14:46 AM

why doesn't he sell those to someone like zerodium

the bugs he is publishing are exactly the class of bugs that they would love to buy

by karel-3d

5/29/2026 at 10:03:29 AM

Looks like Zerodium shut down last year

by robocat

5/29/2026 at 10:34:41 AM

There are more similar ones

by karel-3d

5/29/2026 at 12:38:37 AM

The NSA isn't even subtle anymore jeez.

by vasco

5/29/2026 at 2:48:59 AM

_NSAKEY part deux

by mmastrac

5/28/2026 at 11:07:53 PM

This is such a bad idea and what the point anyway? Once 0-day is out its out.

Almost like trying to censor leakef HDCP key.

by SXX

5/29/2026 at 7:21:21 AM

I mean he should sell those 0days to exploit.im market for a good money instead of going for "whitehat" if you want maximum damage

by stevefan1999

5/28/2026 at 11:34:38 PM

Basic conflict of interest stuff

MS owns GH. It's tonedeaf and criminal

by alex1138

5/29/2026 at 9:39:45 AM

>It's tonedeaf and criminal

Hasn't that been their MO since the start? Absolutely scummy company.

by yuye

5/28/2026 at 11:21:01 PM

[flagged]

by pslab

5/30/2026 at 1:43:33 AM

Yeah because he didn't responsibly report it. What did he expect?

by onesingleblast

5/28/2026 at 11:21:42 PM

[dead]

by sorry_outta_gas

5/29/2026 at 12:24:11 AM

Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?

Make it make sense, Microsoft.

by mschuster91

5/29/2026 at 12:55:20 AM

Pirating windows keeps you in the ecosystem so they can sell ads/games/365/cloud etc.

by throwaway85825

5/29/2026 at 12:45:18 AM

Microsoft hasn’t particuarly cared about consumers pirating Windows for more than a decade. I’m pretty sure they make close to 0 money off Windows licensing to consumers.

by sgjohnson

5/29/2026 at 1:59:39 AM

A quote from Billy G comes to mind

> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.

Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.

by thewebguyd

5/29/2026 at 11:40:07 AM

Is there any other OS that gets pirated these days? Are Hackintosh still a thing?

by debugnik

5/29/2026 at 12:16:35 PM

> Are Hackintosh still a thing?

A dying breed, most Intel machines have already fallen out of support and the few remaining ones (e.g. 2019 16-inch MBP) won't get any new OS updates after end of this year.

by mschuster91