alt Hacker NewsGitHub bans security researcher who posted zero-day Windows exploits
Comments
No idea what's happening here, but the First Rule Of Major Bug Bounty Programs is that everybody involved on the vendor side is actively incentivized to pay out. In many cases, there are people whose internal metrics depend on payouts. Payouts are causes for celebration in these programs. Microsoft is almost certainly[†] not trying to save money by screwing over bounty claimants.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
I can’t help but feel Microsoft will regret this.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
In the past recent months i've been dealing with a lot of strange digital responses at various related things. It caused a lot of frustration and i couldn't exactly pinpoint what i was doing wrong. Then i read this sentence in the article:
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
Is there any public word from Microsoft about what is going on here? Why would both Microsoft and Gitlab ban the user? I thought both platforms allowed hosting exploits and security research as long as everything is clearly marked up-front, I'm guessing some rules were broken?
Has Microsoft just created an editorial responsibility for itself to remove zero days from GitHub?
If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?
Lots of copies of the Windows source code still on GitHub, which is problematic if you're interested in NT and want to contribute to Wine or something...hard to avoid running into restricted code
This situation highlights the inherent conflict of interest in Microsoft owning GitHub. While GitHub has clear terms of service regarding the hosting of active, weaponized exploits, the optics of banning a researcher who specifically targeted Windows are always going to look vindictive, regardless of the justification.
What's the backstory on this researcher? They seem to have a personal vendetta against Microsoft and thus releasing zero days that he found with the help of AI?
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
One should just exploit it next time :D
Very important info: https://www.theregister.com/security/2026/05/28/microsoft-0-...
In the linked Microsoft blog post, they say :
> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.
So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?
It's a very weird situation
> forcing them to pack up and move shop to GitLab instead.
https://gitlab.com/nightmare-eclipse
Blocked user @nightmare-eclipse
Looks like they’re banned on GitLab as as well?
We need to move to IPFS or something federated for source code
User also got themselves banned from Gitlab, an unrelated company. Their quotes in the article are threatening violence and destruction toward Microsoft.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
Microsoft owns Github and Windows, makes sense. "Security researchers" love attention however, and I'm going to guess this one knew it would happen and is now making hay on the fact that it did. Now let me roll out the tired authoritarian excuses to wrap up the thread.
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
>Build your own github.
Did I miss any?
Surely, the public string of exploits means he can find gainful employment from any of the various spooks?
Just create a new account :D
Amidst abysmal uptime, Ghostty leaving and now this, GitHub is accelerating their own downfall.
The optics don't look good for Microsoft, but we don't know their side of the story.
Also recently:
Satya Nadella says as much as 30% of Microslop code is written by AI:
https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...
I mean he should sell those 0days to exploit.im market for a good money instead of going for "whitehat" if you want maximum damage
Looks like Microslop will have a happy Bastille day. Getting popcorn.
This is such a bad idea and what the point anyway? Once 0-day is out its out.
Almost like trying to censor leakef HDCP key.
The combination of an overly unstable dramatic researcher, a tech news community which will undermine truth in a desperate plead for some clicks and people that are readily willing to believe everyone is constantly just casually in contact with the NSA, gives us these third rate stories
A perfect storm of GitHub's own self-destruction and downfall all done by themselves.
Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.
This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.
why doesn't he sell those to someone like zerodium
the bugs he is publishing are exactly the class of bugs that they would love to buy
Related:
Microsoft's stance on zero day exploits is a dumpster fire of their own making
Basic conflict of interest stuff
MS owns GH. It's tonedeaf and criminal
[flagged]
[dead]
Lol, they ban a security researcher from Github for embarassing them, but massgrave's Microsoft Activation Scripts isn't just still on Github but verified?
Make it make sense, Microsoft.
I stopped reporting any security bugs I find in web apps because first time I did it I almost got arrested by the police.
The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.