55 comments

[ 4.1 ms ] story [ 88.9 ms ] thread
Researcher seems a bit unhinged.
Surely, the public string of exploits means he can find gainful employment from any of the various spooks?
Not if they can’t gain or maintain a security clearance.
Shoot the messenger. That’ll fix it.
Maybe they want to incentivise selling exploits to nation states, not patching them?
I can’t help but feel Microsoft will regret this.

Guy finds zero days and gets no compensation. Instead gets banned.

Guy sells zero days elsewhere.

Why would they regret it? According to the person who found them, they put those vulnerabilities there for a reason.
This is such a bad idea and what the point anyway? Once 0-day is out its out.

Almost like trying to censor leakef HDCP key.

The optics don't look good for Microsoft, but we don't know their side of the story.
[flagged]
Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?
Some of the exploits are suspected to be intentional govt backdoors. It is easy to see why Gitlab would ban the user, given that they can be secretly subpoenad as any other US or allied entity.
Basic conflict of interest stuff

MS owns GH. It's tonedeaf and criminal

>It's tonedeaf and criminal

Hasn't that been their MO since the start? Absolutely scummy company.

What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?

Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.

Amidst abysmal uptime, Ghostty leaving and now this, GitHub is accelerating their own downfall.
Has Microsoft just created an editorial responsibility for itself to remove zero days from GitHub?

If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?

No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.

This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.

This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.

[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.

Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?

Make it make sense, Microsoft.

The NSA isn't even subtle anymore jeez.
A perfect storm of GitHub's own self-destruction and downfall all done by themselves.

Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.

This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.

User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.

I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.

What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?

Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.

Looks like Microslop will have a happy Bastille day. Getting popcorn.
Very important info: https://www.theregister.com/security/2026/05/28/microsoft-0-...

In the linked Microsoft blog post, they say :

> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.

So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?

It's a very weird situation

Yeah, but the customer in this statement being entities that requested this backdoor. Not the people/companies who paid for the licences.
>Why would Nightmare-Eclipse not report them if they are not ?

Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

>Maybe they're a foreign intelligence cutout masquerading as a burned researcher.

Whoever silently downvoted this, I'd love to hear why you so strongly disagree with my assessment.

Contrary to popular belief, it is NOT anyone's obligation to do free work for megacorps. If anyone is testing MS products for free, or reporting bugs for free, that's a gracious favor, nothing more.
I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.

The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.

Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.

I once tried to report an incident to a train line who had done "~a nice thing for a person~" and had photos about it on their social media. One photo was in their office and in front of a wall with a A4 page of usernames and logins for various systems on it.

I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.

I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...

sell them to a vuln or exploit broker. problem solved.
why doesn't he sell those to someone like zerodium

the bugs he is publishing are exactly the class of bugs that they would love to buy

Looks like Zerodium shut down last year