Comment by bitbasher
1 month ago
I can’t help but feel Microsoft will regret this.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
1 month ago
I can’t help but feel Microsoft will regret this.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
But the story is supposedly about him posting the zero-day exploits, not selling them. It’s in the title.
He also got banned from Gitlab, which isn’t related to Microsoft at all.
Ever considered these aren't the full set of exploits the researcher discovered? Or that he can find more since he found these? If I found a bunch, I'd certainly withhold a few as insurance.
He's claimed that he has more as well. He seems to have a personal vendetta against Microsoft going by his blog, said nothing will be released in June but will in July: https://deadeclipse666.blogspot.com/2026/05/july-14th.html
Sure, but GitHub and Gitlab aren’t the only two ways to share code on the Internet. The conspiracy theories about two unrelated companies shutting down his git accounts to prevent him from releasing these supposed exploits are reaching pretty deep into conspiracy theory nonsense. The conspiracy theories can’t even agree if he was banned for posting them or because he hadn’t posted them but might post them.
9 replies →
I'm not sure if this is an unintentional mistake. Gitlab did not perform a ban. Github performed the ban. Github is fully-owned by Microsoft.
Yes they did: https://gitlab.com/nightmare-eclipse
That git account was posted on their blogspot...
2 replies →
Not one or the other but both. He's banned on GitLab as well.
Well, after they didn't pay him for previous bugs. Not an excuse but certainly a reason.
Are you sure?
Not to mention all the other people who find 0-days. Reputation matters a lot.
Yep, and its a really small world out there.
If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.
Well. Its a bad news for society as whole.
Security industry going to be okay - someone will always pay for 0-days. If vendors wont pay its just gonna be US agencies, Israel resellers, China or Russia.
If you don't feed your army, you will soon feed someone's else's.
5 replies →
Not to mention all the startups being founded right now. Sure, github's still the default, and maybe you can still monetize stars or something, but it's also a clown show from an availability, feature roadmap and company policy perspective.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
> Guy sells zero days elsewhere.
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
Why would they regret it? According to the person who found them, they put those vulnerabilities there for a reason.