BORDER CYBER GROUP — DEEP DIVE June 8, 2026 | By Jonathan Brown bordercybergroup.com

──────────────────────────────────────

The security industry spent this week doing what it does when something uncomfortable happens: it focused on the wrong person.

Nightmare-Eclipse — the anonymous researcher who dropped six weaponized Windows zero-day exploits on the internet between April and May 2026, got banned from GitHub and GitLab, threatened Microsoft with an RCE disclosure campaign timed to July Patch Tuesday, and described a dead man's switch rigged to release additional exploits automatically — has been framed by most coverage as the problem. A rogue actor. A disgruntled former employee with a grudge and a GitHub account. Microsoft's blog post on May 27 invoked its Digital Crimes Unit and warned of law enforcement coordination, language its own legal team later had to walk back after the security community erupted. The company called the disclosures "never justifiable." Countless commentators agreed.

They are looking at the wrong thing.

Nightmare-Eclipse is not the disease. Nightmare-Eclipse is what the disease looks like when it finally breaks the surface. The disease is a coordinated vulnerability disclosure ecosystem that has been quietly rotting for years, sustained by researcher goodwill that vendors have systematically eroded while publicly praising the system they are hollowing out.

Let's look at what actually happened here. And let's look at who benefits from the story being told the way it is being told.

THE MATH THAT NOBODY WANTS TO DO

Microsoft paid $17 million in bug bounties between July 2024 and June 2025, covering 1,469 eligible reports from 344 researchers — its largest annual payout ever, announced with considerable fanfare. Seventeen million dollars. Record-breaking. A testament to Microsoft's commitment to the security research community.

Microsoft generated approximately $245 billion in revenue in fiscal year 2025.

Let that sit for a moment. The company that operates the most widely deployed operating system on earth, that runs the cloud infrastructure underpinning a substantial fraction of global enterprise computing, that ships the email server sitting in the middle of hundreds of thousands of corporate networks — that company allocated $17 million, roughly 0.007% of its annual revenue, to compensate the independent researchers who find the holes in its products before nation-states and ransomware crews do.

Jacob Krell, Senior Director of Secure AI Solutions and Cybersecurity at Suzu Labs, said it plainly to Computer Weekly this week: given that Microsoft generates hundreds of billions of dollars every year, it was unreasonable to expect researchers to subsidize its product security for free. That is not a radical position. That is arithmetic. The Windows Insider Preview bounty program, Microsoft's designated channel for precisely the kind of privilege escalation findings Nightmare-Eclipse was surfacing, pays between $500 and $100,000. A Windows kernel local privilege escalation with low attack complexity, no privileges required, and no user interaction — the description that fits several of the Nightmare-Eclipse disclosures — lands somewhere in that range, at Microsoft's sole discretion.

Sole discretion. That phrase matters enormously and does not get nearly enough attention. There is no binding obligation, no independent arbitration, no external oversight of what Microsoft decides a finding is worth. The researcher brings the labor. The vendor sets the price. After the fact. And the researcher's only recourse if they disagree is to accept it, argue politely, or go public — at which point they become, in Microsoft's framing, a criminal.

Meanwhile, on the open market, the same class of vulnerability commands a fundamentally different price. Crowdfense, one of the remaining legitimate brokers after Zerodium went dark in early 2025, runs acquisition programs in the range of tens of thousands to several million dollars, with the top of the band reserved for the highest-impact chains. A universal Windows local privilege escalation — works reliably, no race condition, no per-version offsets — is not a $100,000 finding in that market. It is a house. Researchers know this. They do the math every time they sit down to write a report.

The CVD system functions because researchers choose, voluntarily, to accept less than market rate in exchange for doing the right thing. That is not a sustainable foundation for critical infrastructure security. It is a gentlemen's agreement that only holds as long as the gentlemen on the other side keep acting like gentlemen.

──────────────────────────────────────

THE ACCOUNT DELETION THAT MICROSOFT WON'T CONFIRM OR DENY

The specific facts of the Nightmare-Eclipse dispute are contested in a revealing way.

The researcher's account, published on the Blogspot page at deadeclipse666.blogspot.com, is that they submitted vulnerability reports through Microsoft's MSRC portal. Microsoft then deleted the Microsoft account used to make those submissions. Without an account, there is no official submission channel. Without an official submission channel, coordinated disclosure is impossible — not impractical, impossible. The researcher was locked out of the very process they are now being condemned for not using.

Microsoft's response to questions about this specific allegation, put directly to the company by The Register: "Microsoft does not remove MSRC researcher portal accounts, which is where anyone can submit a vulnerability to the company. Microsoft cannot confirm which account this person is claiming was deactivated."

Read that response carefully. It does not say the account was not deleted. It says Microsoft does not remove MSRC researcher portal accounts as a matter of policy, and that it cannot confirm which account was deactivated. These are not the same thing as a denial. If the account deletion did not happen, the response would be: "The account was not deleted." Microsoft did not say that.

What the company did say, in its May 27 blog post, is that none of the six vulnerabilities were reported via official channels prior to public disclosure. That is technically consistent with the researcher's account of events — if the submission channel was closed, nothing could be reported through it. Microsoft is presenting the absence of formal disclosure as evidence of bad faith. The researcher is presenting the same absence as evidence of a locked door.

Katie Moussouris — who created Microsoft's bug bounty program in the first place, who fought internally against Microsoft executives who did not want to pay researchers anything, who spent years building the institutional infrastructure that makes CVD function — put it succinctly to The Register: Microsoft's May 27 post "confusingly claims their program 'ensures researchers are compensated and publicly acknowledged' in a statement answering a researcher who says he got neither." The language choices, she added, were not deescalating. Kevin Beaumont, a security researcher and former Microsoft employee, called it "a dumpster fire of its own making."

These are not random critics. These are the architects and senior practitioners of the system Microsoft is claiming to defend.

──────────────────────────────────────

THE REGRESSION THAT NOBODY FIXED

Set aside the bounty dispute and the account deletion allegation for a moment. Focus on the technical record, because the technical record is independently damning.

MiniPlasma, the final exploit in the Nightmare-Eclipse series, targets a vulnerability in the Windows Cloud Filter driver — the cldflt.sys component that underlies OneDrive file synchronization. The root cause is a flaw in the HsmOsBlockPlaceholderAccess routine that allows arbitrary registry key creation in the .DEFAULT user hive without proper access checks, enabling privilege escalation to SYSTEM.

This vulnerability was discovered and reported to Microsoft by James Forshaw of Google Project Zero in September 2020. Forshaw is one of the most technically rigorous vulnerability researchers in the world. His reports are detailed, reproducible, and unambiguous. Microsoft assigned CVE-2020-17103 and shipped a patch in December 2020.

Six years later, the original Project Zero proof-of-concept code — unmodified, unchanged, exactly as Forshaw wrote it in 2020 — produces a SYSTEM shell on Windows 11 machines running the May 2026 cumulative updates. Security researcher Will Dormann confirmed this on Mastodon. ThreatLocker confirmed it independently. The exploit works reliably on fully patched current hardware.

How does this happen? Either the patch was never properly implemented, or it was implemented and silently regressed at some point in the intervening six years of Windows update cycles. Neither explanation reflects well on Microsoft's engineering quality controls. A patch that does not survive six years of cumulative updates is not a patch. It is a press release.

Nightmare-Eclipse did not invent this vulnerability. Nightmare-Eclipse rediscovered that a published, credited, supposedly fixed six-year-old vulnerability was still present and weaponizable, modified the PoC to produce an interactive shell rather than merely demonstrate the flaw, and published the result. The appropriate response to that revelation — from the security community, from Microsoft, from the press — should be sustained anger about the regression. Instead, the industry has spent two weeks debating disclosure ethics. The company that shipped a broken fix and forgot to check whether it stayed fixed has largely escaped accountability for the engineering failure at the center of this story.

──────────────────────────────────────

THE SILENT PATCH PROBLEM

RedSun and UnDefend received CVE assignments — CVE-2026-41091 and CVE-2026-45498 respectively — on May 21, 2026, in an out-of-band patch release. This happened after Nightmare-Eclipse published working exploit code, after threat actors began exploiting both vulnerabilities in real attacks, after BleepingComputer and other outlets confirmed in-the-wild exploitation, and after CISA added the affected CVEs to the Known Exploited Vulnerabilities catalog.

The point is not that Microsoft eventually patched them. The point is the sequencing. Microsoft patched them when public pressure and documented exploitation made inaction politically and legally untenable. Not before. The silent redress of vulnerabilities — closing tickets with no public advisory, no CVE assignment, no notification to defenders that a patch exists and what it covers — is a documented pattern, not a one-off. Defenders cannot deploy patches they do not know exist. Monitoring tools cannot build detections for vulnerabilities without CVE identifiers. The absence of public disclosure is not a neutral act. It is a decision to keep defenders in the dark while the vendor performs its own quiet remediation on its own timeline.

The "No More Free Bugs" campaign launched in 2009 was a watershed moment in the relationship between researchers and vendors. Before it, researchers were expected to report vulnerabilities, wait indefinitely for fixes that might never come, accept no compensation, and be grateful for the opportunity to improve someone else's product at their own expense. The campaign established that this arrangement was structurally unfair. Bug bounty programs proliferated in its wake. The industry told itself the problem had been solved.

It had not been solved. It had been patched — in the other sense of the word.

──────────────────────────────────────

WHAT THE BANS ACTUALLY MEAN

GitHub is owned by Microsoft. GitLab is not, but acted within days of GitHub's ban. Both platforms cited their terms of service, which prohibit hosting content designed to enable attacks on systems without authorization. The weaponized executables — compiled binaries that spawn a SYSTEM shell, not technical writeups describing a vulnerability class — were the specific objects in question. That is a defensible distinction. Hosting a research paper about a vulnerability and hosting a ready-to-run SYSTEM shell dropper are genuinely different acts.

But the timing and the reach of the bans tell a different story about what was actually being managed. The GitHub ban came on May 23, weeks after the disclosures had already happened, after the exploits had already been downloaded, mirrored, and redistributed across the internet, after three of the six had already been confirmed exploited in real attacks. The binaries were already loose. Banning the account did not remove them from circulation. It removed the researcher's ability to publish anything further — the dead man's switch, the Blogspot announcements, the technical documentation — from a platform that Microsoft controls.

This is the part where institutional interests and security interests diverge visibly. A researcher whose account is deleted from MSRC, who has no functional channel for private disclosure, who publishes vulnerabilities that are real and critical and demonstrably not fixed, and who then gets banned from the code hosting platform owned by the vendor they are criticizing — that researcher has been structurally pushed out of every legitimate avenue for engaging with the vendor. The ban is not a security measure. It is a silencing measure that arrives too late to contain the security damage and just in time to limit the reputational damage.

──────────────────────────────────────

THE HACKTIVISM FRAMING AND WHY IT MATTERS

Nightmare-Eclipse has been called many things. A criminal. A rogue researcher. A disgruntled former employee. What the coverage has largely avoided calling them is a hacktivist — someone using technical capability to force a political outcome through sustained, public, high-impact action against a specific target.

That framing matters because hacktivism has a different moral grammar than criminal activity, and the security industry's refusal to apply it here says something uncomfortable about whose interests the discourse is organized to protect. When hacktivists leak documents from authoritarian governments, the security community debates the ethics with nuance. When a researcher publishes weaponized exploit code against a multi-trillion-dollar corporation that has documented failings in its treatment of the researchers it depends on — that same community reaches immediately for criminal framing and threat actor designations.

Barracuda Networks characterized Nightmare-Eclipse as a "malicious actor driven by a personal grievance." That framing is not wrong, exactly. The grievance is personal. The actor is using methods that have caused collateral harm. But consider what the "malicious" designation requires you to ignore: that the vulnerabilities were real; that Microsoft's patch for MiniPlasma was broken for six years; that three of the six disclosures were eventually confirmed exploited by threat actors regardless of whether Nightmare-Eclipse had published them — because vulnerabilities that exist get found by more than one person; that the researcher's stated channel for private disclosure was, according to their account, closed by Microsoft; and that the "bone shattering" language and dead man's switch read, at minimum, as someone who has exhausted every other form of leverage and is weaponizing the only one remaining.

None of this makes the collateral damage acceptable. Organizations got hit. Real defenders scrambled on real timelines against exploits for which no patch existed. That harm is real. But the harm from three actively exploited Windows zero-days is not solely attributable to the person who published them. It is also attributable to the vendor that shipped a regression, sat on silent patches, and managed a researcher relationship badly enough that this outcome became the result.

──────────────────────────────────────

THE SOCIAL CONTRACT IS BREAKING, AND THE INDUSTRY SHOULD STOP PRETENDING IT ISN'T

The "No More Free Bugs" era was supposed to solve the structural unfairness of asking researchers to subsidize vendor security. It did not solve it. It created a market mechanism — bug bounties — that gave vendors a way to pay researchers minimally, on their own terms, with no external accountability, while retaining all the moral vocabulary of a fair exchange.

A $17 million annual payout sounds significant until you divide it across the global attack surface Microsoft presents. Until you compare it to the price the gray market pays for the same findings. Until you read the researcher threads flooding in response to this week's coverage — years of ignored reports, closed MSRC tickets marked "not a security issue" that were later silently patched, accounts suspended without explanation, bounties reduced or denied on technicalities after the work was done.

Katie Moussouris built the system. She has spent years warning that the system is not working as designed. "Intrinsically, it is exploitative of the labour market," she told Computer Weekly. "You are asking them to do speculative labour, and you are getting something quite valuable out of them." Bug bounty programs, she has argued, have become a way of getting carried away with incentives instead of looking at the full picture. The market she created has been used to create exactly the perverse incentives she warned about.

Nightmare-Eclipse is one person with deep Windows internals knowledge, a documented grievance, no current income — "left me homeless with nothing," the first Blogspot post reads — and the specific combination of skills and desperation that makes quiet compliance a worse option than public warfare. That person is not the aberration. That person is the signal.

The security research ecosystem generates billions of dollars of value for software vendors. It does so largely through the voluntary, undercompensated labor of independent researchers who could sell the same findings for vastly more on commercial or government markets but choose, for reasons of ethics or reputation or community, not to. That choice is not guaranteed. It is not structural. It is a preference that erodes when the other side of the exchange consistently fails to hold up its end.

When that preference erodes in someone with nothing left to lose, you get Nightmare-Eclipse. When it erodes more broadly, you get something the industry has no language for yet, because it has not happened at scale. But the conditions that produced this specific researcher are not unique to this specific researcher. The deleted accounts, the disputed bounties, the silent patches, the closed tickets — these are not edge cases. They are a pattern that hundreds of researchers recognized immediately when this story broke, because they have lived versions of it themselves.

The industry can spend the next six weeks debating whether Nightmare-Eclipse is a criminal. Or it can spend those weeks asking why the system produces Nightmare-Eclipses, and what it would take to stop producing them.

One of those conversations is easier. The other one matters.

_________

Sources: The Register, May 28 and June 2, 2026; TechCrunch, May 29, 2026; The Next Web, May 2026; Computer Weekly, May and December 2025; CPO Magazine, June 2026; Barracuda Networks Blog, May 19, 2026; ThreatLocker Blog, May 22, 2026; BleepingComputer, April and May 2026; Cyderes Howler Cell, April 2026; Windows Report, May 2026; Winbuzzer, June 2, 2026; WebProNews, June 2026; Bugcrowd, May 2026; Microsoft MSRC Blog, May 27, 2026; deadeclipse666.blogspot.com.

──────────────────────────────────────

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting

If you find our work helpful... Buy us a coffee!: https://bordercybergroup.com/#/portal/support