ud444ng

‼️ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse. In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release. That claim is contested. Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming. Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions. Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about. The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates. It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them. The case for coordinated disclosure is straightforward. The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software. Patch before PoC means defenders get a head start. PoC before patch hands it to attackers. That does not make the tension one-sided. Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts. Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation. Microsoft's post does not address that claim directly. It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation. Both things can be true at once. A vendor can have a real duty to treat researchers fairly. And a researcher can still be wrong to burn the disclosure process in a way that arms criminals. The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.

🚨 Brutal showing: security researcher Orange Tsai just made $375,000 in 24 hours at Pwn2Own Berlin 2026. He landed both Microsoft Edge AND Microsoft Exchange in back-to-back demos. - Day 1: Chained 4 logic bugs to escape the Microsoft Edge sandbox. Payout: $175,000 - Day 2: Took down Microsoft Exchange in the Server category. Payout: $200,000 Congrats 🥂