Over the past few weeks, security researcher "Chaotic Eclipse" (also known as Nightmare-Eclipse) and Microsoft have been in a back-and-forth argument after the sleuth published a zero-day exploit known as YellowKey, which allowed them to access BitLocker-protected drives on Windows 11 with a simple USB key.
Nightmare claimed that Microsoft "intentionally" left a backdoor in the security feature.
The tech giant acknowledged the vulnerability in Windows and indicated that it was tracking the YellowKey zero-day exploit under CVE-2026-45585 and shared mitigation measures. However, Microsoft indicated that the vulnerabilities published by the security sleuth weren't shared with the company in advance, as highlighted in its Coordinated Vulnerability Disclosure (CVD) policy.
Consequently, the company claimed that publishing the unpatched bugs along with code to exploit them potentially placed customers across its ecosystem at risk, prompting it to threaten to take legal action.
Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world."
Microsoft Security Response Center
Before this, Nightmare claimed that the company had banned their GitHub account and even deleted their Microsoft account, which was used to report bugs. "[they were] told personally by [Microsoft] that they will ruin my life and they did", Nightmare added while referring to Microsoft's actions as vindictive.
However, speaking to Windows Central, a Microsoft spokesperson dismissed the claims:
"Microsoft does not remove MSRC researcher portal accounts, which is where anyone can submit a vulnerability to the company. Microsoft cannot confirm which account this person is claiming was deactivated."
Speaking to Dark Reading, BugCrowd founder Casey John Ellis admitted that Nightmare's situation with Microsoft is complicated. However, Ellis indicated that Microsoft's decision to pursue criminal prosecution against the security researcher was "an insanely myopic move, especially after all of the investment they've made into presenting a secure, transparent, and research-friendly face to the market."
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community,…June 1, 2026
Following backlash from the community, Microsoft indicated, "to be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.”
MSRC woke up and decided to kill off all the good will it has built up over the last decade:https://t.co/EqmlcWqYfUMay 28, 2026
"MSRC decided to kill off all the goodwill it has built up over the last decade," indicated Andrew Case, director of threat research at Volexity, following Microsoft's decision to take legal action against Nightmare.
To that end, at least Microsoft acknowledged the effort security researchers put into researching and submitting a vulnerability. Whether or not this affects the likelihood of future bug reports, we'll have to wait and see.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
