TL;DR
- GitHub Account: Nightmare-Eclipse appears to have lost its GitHub account after Windows exploit code hit the platform.
- YellowKey Risk: Microsoft now tracks the BitLocker bypass under CVE-2026-45585, keeping the dispute tied to a live Windows security issue.
- July 14 Threat: Chaotic Eclipse tied July 14 to a possible retaliatory move or release, while the fight over disclosure and bounty handling remains unresolved.
Security researcher Nightmare-Eclipse appears to have lost his GitHub account after Windows zero-day exploit code hit the platform. An earlier GitHub-hosted exploit clash had already turned the same fight public.
Earlier in May 2026, security researcher Chaotic Eclipse brought the YellowKey zero-day into public view, with the BitLocker bypass described as opening protected Windows 11 drives with a simple USB key. Microsoft is also accused of deleting Chaotic Eclipse’s Microsoft account used for bug reporting. Nightmare-Eclipse said the work brought “got zero pennies from doing so.”
The dispute also includes accusations that Microsoft ignored zero-day reports and withheld bounty payments, although supporting evidence has not yet been released. Microsoft has not publicly explained the GitHub-ban allegation itself, but on May 27 the company cast YellowKey and related exploit releases as violations of its coordinated vulnerability disclosure process.
Microsoft’s Disclosure Rules Collide With the YellowKey Dispute
Microsoft’s public researcher portal still accepts submissions from anyone, regardless of past interactions or reputation. The policy now sits in direct tension with a researcher tied to the same dispute losing account access during the fight.
CVD, or coordinated vulnerability disclosure, is the private handoff vendors want before flaw details become public. MSRC is Microsoft’s security response team for those reports and for the bounty decisions that can follow. Researchers weighing that channel now have to judge whether a process that stays open on paper will still protect a combative submitter during a live dispute.
Microsoft expanded the clash beyond one unpaid-work complaint by naming YellowKey, RedSun, UnDefend, BlueHammer, GreenPlasma, and MiniPlasma as releases that fell outside its preferred disclosure path. Public release of working exploit details can push defenders into response mode before a patch or mitigation is ready.
William Dormann, a Tharros expert, put the same problem in terms of a decline in how Microsoft’s response process works.
“MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers.”
William Dormann, Tharros expert
Dormann’s criticism shows how the fight now tests confidence in Microsoft’s disclosure process, not just one relationship with one researcher.
YellowKey’s Security Stakes and Compensation Context
Microsoft’s update guide now lists the YellowKey BitLocker bypass under the official CVE-2026-45585 entry. YellowKey is now attached to a live Windows security issue with a formal identifier, not only to a grievance moving across blogs and social platforms.
BitLocker is Microsoft’s disk-encryption system, so a bypass changes the stakes from reputation to device-access risk. A simple USB-key route around that protection would matter for stolen laptops, seized devices, and any system that depends on pre-boot security to keep local data safe.
Microsoft’s MSRC bounty program advertises awards of up to $250,000 for higher-severity classes of flaws. Real money sits behind the choice between private submission and public release, which helps explain why unpaid-work complaints carry more weight than a routine vendor argument.
Microsoft’s bounty guidance also ties higher awards to detailed analysis, reproduction steps, and proof-of-concept support. Private coordination is central to Microsoft’s customer-protection case, while critics see mixed signals when the company promotes compensation but still faces claims of ignored submissions and unpaid work.
Prior Conflict and the Next Escalation Point
April 2026 already brought GitHub-hosted zero-day code and a public dispute with Microsoft’s response team. Later in May, a MiniPlasma exploit release showed the same researcher was still widening the sequence of Windows disclosures.
Account and platform allegations are landing in the middle of that escalation, not after a settled disclosure dispute. Microsoft’s disclosure post still anchors the company’s position, and the official CVE listing keeps YellowKey framed as an unresolved security issue rather than a closed argument over tone.
Chaotic Eclipse tied July 14 to another possible release or retaliatory action against Microsoft, while Nightmare-Eclipse separately warned that the date could bring further retaliation. Another exploit dump remains unconfirmed, but the dispute now has a visible deadline and no public sign that the underlying trust breach has been repaired.
