GitHub banned an anonymous security researcher known as Nightmare-Eclipse after they publicly published 6 zero-day exploits for Windows. Three of them were being actively exploited by cybercriminals before Microsoft had a chance to release patches. The Microsoft-owned platform removed the researcher’s account, sparking a heated debate about the ethics of vulnerability disclosure.
TL;DR: Nightmare-Eclipse published 6 Windows zero-day exploits on GitHub. Three of them were being actively exploited in the wild. GitHub banned the researcher’s account, and Microsoft condemned the “uncoordinated” vulnerability disclosure, claiming it puts customers at risk. Nightmare-Eclipse has announced further publications scheduled for July 14.
Why Did GitHub Ban Researcher Nightmare-Eclipse?
GitHub removed Nightmare-Eclipse’s account for violating its terms of service regarding the publication of code that facilitates attacks on production systems. The researcher published zero-day exploits without prior notification to Microsoft, which the company says endangers hundreds of millions of Windows users. The platform decided to block the account after Nightmare-Eclipse refused to remove the exploit code.
However, banning the account did not solve the problem. Nightmare-Eclipse moved to GitLab, where they continued publishing exploits. GitLab also blocked the account within a few days. This escalation illustrates how difficult it is to control the spread of exploit code in the open git ecosystem.
How Many Windows Zero-Day Exploits Were Published?
Nightmare-Eclipse published a total of 6 zero-day exploits affecting various Windows components, including BitLocker. Three of these vulnerabilities were being actively exploited by cybercriminals at the time of publication. The most controversial exploit targeted BitLocker in Windows 11 — the researcher claimed the vulnerability was an intentional design choice by Microsoft. As The Register reports, the researcher announced another round of publications for July 14.
It is worth analyzing the types of vulnerabilities disclosed:
- Local privilege escalation vulnerabilities in system services
- An exploit targeting BitLocker encryption in Windows 11
- Memory handling bugs in kernel drivers
- Vulnerabilities enabling bypass of process isolation mechanisms
- Flaws in Windows network protocol implementations
- Bugs in executable file permission validation mechanisms
- Vulnerabilities in the cache management subsystem
- Flaws in kernel-mode driver handling
- Validation bugs in the system’s security architecture
How Is Microsoft Responding to Public Vulnerability Disclosure?
Microsoft strongly condemned the practice of uncoordinated vulnerability disclosure, calling it an unnecessary risk to customers. The company issued an official statement urging researchers to follow responsible disclosure principles by coordinating with the MSRC team before publishing any exploits. Infosecurity Magazine reports that Microsoft warned that disclosing several unpatched vulnerabilities without prior notice exposed customers to unnecessary danger.
Nightmare-Eclipse, however, claims they had previously tried to contact Microsoft, but the company ignored their reports. The researcher stated they have proof for every claim and that Microsoft deliberately blocked their developer account to silence their discoveries. The conflict took on a personal dimension — the researcher accused the company of ruining their life.
What Is Responsible Disclosure and Why Is It Controversial?
Responsible vulnerability disclosure is the practice of notifying the software vendor about a discovered flaw before publishing it publicly. The standard period is 90 days from reporting to publication, giving the vendor time to prepare a patch. Nightmare-Eclipse completely ignored this protocol, publishing the exploits immediately, without any prior notice to Microsoft.
The table below compares different vulnerability disclosure models:
| Disclosure Model | Time to Patch | Vendor Coordination | Risk to Users |
|---|---|---|---|
| Responsible disclosure | 90 days | Yes | Low |
| Full disclosure | None | No | High |
| Bug bounty | Variable | Yes | Low |
| Vendor disclosure | Agreed upon | Yes | Minimal |
The controversy stems from the fact that full disclosure is sometimes the only way to force large companies to respond. Historically, researchers like Google Project Zero have enforced hard publication deadlines after 90 days, regardless of whether a patch was ready. Nightmare-Eclipse went even further, however — they gave Microsoft no time to respond at all.
What Consequences Does the Researcher Face After the GitHub and GitLab Bans?
After being banned on GitHub, Nightmare-Eclipse lost access to their repository, commit history, and all submissions. They moved to GitLab, but that platform also blocked their account within a few days. As Tom’s Hardware reports, the researcher claims Microsoft ruined their life, and an expert evaluates the company’s actions as vindictive.
Nightmare-Eclipse also lost access to their Microsoft account, meaning the loss of software licenses, cloud data, and other services tied to the account. This is a drastic penalty for publishing vulnerabilities, raising questions about the proportionality of the company’s actions. The researcher has announced further publications as a form of retaliation.
What Alternative Tools Remain for Publishing Exploits?
After being banned on GitHub and GitLab, Nightmare-Eclipse lost the two largest code hosting platforms. However, the researcher announced the publication of further exploits on July 14, meaning they will move their activity to other channels. As The Hacker News reports, Microsoft condemned the uncoordinated vulnerability disclosure, but the researcher has no intention of backing down. Alternatives to traditional git platforms include:
- Tor networks and hidden .onion services
- Pastebin platforms and their clones
- Darknet discussion forums
- Telegram channels with end-to-end encryption
- Self-hosted git servers outside US jurisdiction
- Decentralized networks like IPFS
- Full disclosure mailing lists
- Mastodon platforms and RSS channels
Blocking accounts on major platforms will not stop the spread of code. The ecosystem of open-source and decentralized tools is too vast for any single company to control.
How Does This Case Differ from Standard Vulnerability Disputes?
The conflict between Nightmare-Eclipse and Microsoft goes beyond typical responsible disclosure disputes. The researcher not only disclosed 6 zero-day exploits without notification but also accused Microsoft of intentional design flaws in BitLocker. Windows Central confirms that the researcher stated: “I have proof for every claim.” The escalation took on a personal dimension.
Here are the key differences between this case and standard conflicts:
- Nightmare-Eclipse gave Microsoft no time to respond — publication was immediate
- Three of the 6 exploits were being actively exploited at the time of disclosure
- The researcher lost not only their GitHub account but also their Microsoft account with data and licenses
- Nightmare-Eclipse announced “retaliation” and another round of publications on July 14
- GitLab blocked the account within days of GitHub, showing platform coordination
- Public accusations of intentional design flaws in BitLocker
- Complete disregard for the 90-day patch preparation period
- Loss of access to a developer account with data and licenses
- Announcement of conflict escalation and further publications
Typical vulnerability disputes end with publication after 90 days. This is a personal war.
What Are the Real Threats to Windows Users?
Windows users are exposed to attacks exploiting three active zero-day exploits that do not yet have available patches. The Register confirms that Nightmare-Eclipse has announced further publications on July 14. Cybercriminals can analyze the published code to create their own exploit variants.
The most significant consequences, however, affect the research community. When researchers publish exploits without coordination, software vendors tighten their cooperation with hosting platforms. That is why GitHub and GitLab reacted so quickly. Users should:
- Regularly update Windows
- Enable automatic updates
- Use antivirus software with behavioral protection
- Avoid suspicious attachments and links
- Monitor MSRC security bulletins
- Use EDR (Endpoint Detection and Response) tools
- Implement multi-factor authentication on accounts
- Regularly back up important data
How Does the Security Community View Microsoft’s and GitHub’s Actions?
The security community is divided in its assessment of this situation. Some experts support GitHub for removing an account publishing active exploits. Others criticize Microsoft for the proportionality of the punishment — removing a developer account along with its data and licenses seems excessive. Tom’s Hardware reports that experts evaluate Microsoft’s actions as vindictive.
Similar controversies surrounded other GitHub decisions, as I wrote about in the context of Ghostty leaving GitHub. The platform must balance openness with security. In this case, it chose security.
The table below presents the positions in the dispute:
| Party | Argument | Assessment of Actions |
|---|---|---|
| Microsoft | Uncoordinated disclosure endangers customers | Justified |
| GitHub/GitLab | Violation of exploit publication terms of service | Consistent |
| Nightmare-Eclipse | Microsoft ignores vulnerability reports | Controversial |
| Community (some) | Punishment proportional to the threat | Divided |
| Community (some) | Microsoft is acting vindictively | Critical |
What Steps Should You Take When Discovering a Zero-Day Vulnerability?
Discovering a zero-day vulnerability comes with ethical and legal responsibilities. The standard procedure involves contacting the software vendor before any publication. Microsoft’s MSRC team accepts reports through a dedicated portal. Similar to GitHub repositories, cooperation with the platform generally yields better results than confrontation.
Steps after discovering a zero-day vulnerability:
- Document the vulnerability with technical details
- Check whether the vulnerability has already been reported
- Contact the vendor through an official channel (MSRC, bug bounty)
- Establish a publication timeline (standard is 90 days)
- Consider submitting to a bug bounty program for compensation
- Prepare a proof-of-concept, but do not publish it publicly
- Coordinate publication with the vendor’s patch
- Document the entire communication process with the vendor
Nightmare-Eclipse skipped all of these steps. Moreover, the researcher claims they contacted Microsoft earlier but did not present evidence of this before publishing the exploits.
Frequently Asked Questions
Does GitHub have the right to remove an account for publishing exploits?
Yes, GitHub’s terms of service prohibit publishing code that facilitates attacks on production systems. Nightmare-Eclipse published 6 zero-day exploits for Windows, 3 of which were being actively exploited at the time of disclosure.
How many zero-day exploits did Nightmare-Eclipse publish in total?
The researcher published 6 zero-day exploits for Windows, 3 of which were being actively exploited. The most controversial exploit targeted BitLocker in Windows 11.
Did GitLab also block Nightmare-Eclipse?
Yes, GitLab suspended Nightmare-Eclipse’s account within days of the GitHub ban. The researcher was blocked on both platforms in a short period for persistent disclosure of unpatched Windows vulnerabilities.
What are the consequences of publishing exploits without vendor coordination?
Publishing without coordination exposes users to attacks, as Infosecurity Magazine warns. Microsoft stated that disclosing several unpatched vulnerabilities without prior notice exposed customers to unnecessary danger — the researcher lost accounts on both platforms as well as their Microsoft account.
Summary
Key takeaways:
- GitHub and GitLab are consistently removing accounts that publish active zero-day exploits
- Microsoft treats uncoordinated disclosure as a threat to hundreds of millions of users
- Nightmare-Eclipse promises escalation and further publications on July 14
- The security community is divided — some support the punishment, others consider it vindictive
- Responsible disclosure (90 days for a patch) remains the industry standard
If you are interested in security and code platforms, read the article about ChatGPT-Dan-Jailbreak.md on GitHub and how GitHub secures agentic CI/CD workflows. Subscribe to the newsletter to receive the latest analyses directly in your inbox.