Microsoft has issued a sharp rebuke against public zero-day disclosures after a security researcher published details of three actively exploited Windows vulnerabilities without first notifying the company, prompting the removal of the researcher's GitHub account.
The incident, reported by The Hacker News, centers on a researcher known by the handle Chaotic Eclipse — also going by Nightmare-Eclipse — who disclosed technical details of several previously unknown vulnerabilities without first notifying Microsoft. The disclosed zero-days reportedly affect Windows and were being actively exploited in the wild at the time of publication.
Microsoft's Position
In response to the disclosures, Microsoft issued a strong statement urging the security research community to follow Coordinated Vulnerability Disclosure (CVD) practices. Under this model, researchers privately report vulnerabilities to affected vendors, allowing them time to investigate, assess the impact, and develop patches before any public disclosure occurs.
Microsoft argued that this approach gives vendors the opportunity to fully understand the severity and scope of a vulnerability and to protect users before attackers can exploit the information. The company positioned CVD as the responsible standard for the industry, suggesting that premature public disclosure can put users at risk by handing exploit details to threat actors before a fix is available.
A Controversial Account Removal
Adding fuel to the controversy, Chaotic Eclipse's GitHub account was removed around the time the zero-day details were published. The precise reason behind the removal has not been officially clarified. It remains unclear whether the takedown resulted from a direct violation of GitHub's terms of service, a request from Microsoft — which owns GitHub through its 2018 acquisition — or another factor entirely.
The timing has drawn scrutiny from parts of the security research community, with some questioning whether the platform's ownership by Microsoft creates a conflict of interest when it comes to moderating security disclosures that are critical of the company's own products. GitHub has long served as a primary venue for researchers to host proof-of-concept code and vulnerability write-ups, making platform neutrality a sensitive topic.
The Disclosure Debate
The incident reignites a long-standing tension in the cybersecurity world between two philosophical camps. Advocates of coordinated disclosure — including most major technology vendors and organizations like CERT/CC — argue that responsible timelines give vendors a fair chance to fix issues, ultimately protecting end users.
On the other side, some researchers contend that vendors have historically used CVD processes to delay or suppress disclosures, sometimes leaving critical vulnerabilities unpatched for extended periods. Full disclosure proponents argue that public pressure accelerates remediation and holds vendors accountable.
This is not the first time a clash between a researcher and a platform vendor has raised questions about where to draw the line. Previous incidents across the industry have prompted calls for clearer, more transparent moderation policies — particularly on platforms that serve dual roles as both code-hosting services and corporate subsidiaries.
What Remains Unknown
Several key details about this incident remain unconfirmed. It is not yet clear whether Microsoft has begun developing patches for the three disclosed vulnerabilities or assigned them CVE identifiers. The official, cited reason for the GitHub account removal has also not been made public.
For IT professionals and security teams, the incident underscores the importance of monitoring vulnerability disclosure channels and maintaining robust patch management processes — particularly given that the disclosed vulnerabilities were reportedly under active exploitation. It also highlights the broader question of how the industry balances researcher freedom, corporate accountability, and user safety in an era where a single platform decision can silence a voice overnight.
微軟對公開零日漏洞披露行為發出嚴厲譴責,此前一名安全研究人員在未事先通知公司的情況下,公佈了三個正被積極利用的 Windows 漏洞的細節,導致其 GitHub 帳戶被移除。
據 The Hacker News 報導,這起事件的中心是一位使用 Chaotic Eclipse(又名 Nightmare-Eclipse)代號的研究人員,他在未事先通知微軟的情況下,披露了多個此前未知漏洞的技術細節。據報導,被披露的零日漏洞影響 Windows 系統,且在發佈時正被外界積極利用。
微軟的立場
針對相關披露,微軟發表了強硬聲明,敦促安全研究界遵循協調漏洞披露(CVD)的做法。在此模式下,研究人員會私下向受影響的供應商報告漏洞,使其有時間調查、評估影響並開發修補程式,然後再進行公開披露。
微軟認為,這種方法讓供應商有機會充分了解漏洞的嚴重性和範圍,並在攻擊者利用相關資訊之前保護用戶。公司將 CVD 定位為行業的負責任標準,暗示過早的公開披露可能在修補程式可用之前就將 exploit 細節交到威脅行為者手中,從而使用戶面臨風險。
引發爭議的帳戶移除事件
為爭議火上澆油的是,Chaotic Eclipse 的 GitHub 帳戶在零日漏洞細節公佈前後被移除。移除的確切原因尚未獲得官方說明。目前尚不清楚此舉是由於直接違反了 GitHub 的服務條款、源於微軟(通過 2018 年的收購擁有 GitHub)的請求,抑或是完全由於其他因素。
這一行動的時間點引起了部分安全研究界的審視,一些人質疑,當涉及到審核對公司自身產品提出批評的安全披露時,該平台由微軟所有是否構成了利益衝突。長期以來,GitHub 一直是研究人員託管概念驗證代碼和漏洞分析報告的主要場所,這使得平台的中立性成為一個敏感話題。
關於披露的辯論
這起事件重新點燃了網絡安全界長期存在的緊張關係,分屬兩大哲學陣營。協調披露的倡導者——包括大多數主要科技供應商和像 CERT/CC 這樣的組織——認為,負責任的時間表讓供應商有公平的機會修復問題,最終保護了終端用戶。
另一方面,一些研究人員認為,供應商歷來利用 CVD 流程來延遲或壓制披露,有時導致關鍵漏洞長時間未獲修補。完全披露的支持者則認為,公開壓力能加速修復並讓供應商承擔責任。
這並非研究人員與平台供應商之間的衝突首次引發關於界限劃定的疑問。過去行業內發生的類似事件已促使各方呼籲更清晰、更透明的審核政策——尤其是在那些同時扮演代碼託管服務和企業子公司雙重角色的平台上。
尚未明朗之處
關於這起事件的幾個關鍵細節仍未得到確認。目前尚不清楚微軟是否已開始為被披露的三個漏洞開發修補程式,或是否已為其分配 CVE 識別碼。GitHub 帳戶被移除的官方、被引用的原因也尚未公開。
對於資訊科技專業人員和安全團隊而言,這起事件突顯了監控漏洞披露渠道和維持穩健修補程式管理流程的重要性——尤其是鑑於被披露的漏洞據報正被積極利用。它也凸顯了一個更廣泛的問題:在一個平台決定可能一夜之間讓一個聲音沉默的時代,行業如何在研究人員自由、企業問責和用戶安全之間取得平衡。