It's been a busy couple of weeks in the world of disclosure. A string of Windows zero-days have been dropped publicly with no coordination, and the relationship between independent researchers and the Microsoft Security Response Center is being tested (more than usual).
Let's break down the MSRC drama.
Background
MSRC is the Microsoft Security Response Center that manages the Microsoft bug bounty program, where researchers disclose vulnerabilities to Microsoft, get CVEs issued, and potentially get paid.
A researcher using the handle Chaotic Eclipse (publishing on GitHub as Nightmare-Eclipse) has been releasing working Windows zero-days with no advanced notice to Microsoft, citing previous drama with MSRC.
On May 27, 2026, MSRC responded with an official blog post. Here's what was dropped, then how Microsoft replied.
BlueHammer (CVE-2026-33825)
On April 2-3, 2026, the researcher posted working exploit code to GitHub, citing a Windows Defender privilege escalation bug, with no writeup, telling readers to figure it out themselves.
The stated reason for going public: earlier reports were dismissed, and MSRC reportedly required a video of the exploit at submission. A March 26 warning post had already named the MSRC VP of Engineering directly. Microsoft patched BlueHammer on April 14; the exploit was public for about two weeks first.
RedSun (CVE-2026-41091) & UnDefend (CVE-2026-45498)
Two more Defender zero-days dropped on April 16. RedSun was PGP-signed and came with a post accusing MSRC of dismissing the original report and claiming the researcher had been told Microsoft would "ruin my life." That's three Defender bugs in about thirteen days, with reporting that all three were under active exploitation and only BlueHammer had a patch at the time.
YellowKey (CVE-2026-45585)
A BitLocker bypass affecting Windows 11 and Windows Server 2022/2025. The technique: place crafted FsTx files on a USB drive or the EFI partition, reboot into the Windows Recovery Environment (WinRE), and hold CTRL to get a shell with access to protected drives. Two more, GreenPlasma and MiniPlasma, were named by Microsoft but have no CVEs yet.
Microsoft's Response
MSRC's May 27 post, "A shared responsibility," named all six (RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, MiniPlasma) and stated they were not responsibly disclosed and put customers at risk.
The notable line: Microsoft's Digital Crimes Unit "will continue bringing cases against these actors and those that enable their criminal activity," coordinating with law enforcement. The post also says MSRC will still accept submissions from anyone, regardless of past interactions.
A host of Twitter threads have started under the hashtag #MeTooMSRC, citing similar issues with reporting bugs to the program where MSRC will silently patch the bug and deny that it constitutes a real bug.
The community is split. One side: dropping unpatched exploits endangers millions of users. The other: if a researcher relationship broke down this badly, the program may need a better escalation path. Both can be true. What went so wrong that ChaoticEclipse/NightmareEclipse would drop these bugs in the wild?
Happy Hacking!
Low Level
P.S. OMG YOU READ THE WHOLE THING. TOP SECRET PODCAST IS NEW AND LIVE DONT TELL ANYONE
