Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away | CyberScoop<\/title> <meta name=\"description\" content=\"When a researcher went public with Microsoft vulnerabilities, it laid bare a conflict that has never really been solved.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/microsoft-coordinated-vulnerability-disclosure-debacle\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away\"> <meta property=\"og:description\" content=\"When a researcher went public with Microsoft vulnerabilities, it laid bare a conflict that has never really been solved.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/microsoft-coordinated-vulnerability-disclosure-debacle\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-06-05T14:48:55+00:00\"> <meta property=\"article:modified_time\" content=\"2026-06-05T14:48:57+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg\"> <meta property=\"og:image:width\" content=\"2309\"> <meta property=\"og:image:height\" content=\"1299\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1778775768g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1780427069g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1775068334g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/89315\"><meta name=\"generator\" content=\"WordPress 6.8.5\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=89315\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-coordinated-vulnerability-disclosure-debacle%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fmicrosoft-coordinated-vulnerability-disclosure-debacle%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-89315 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/microsoft-coordinated-vulnerability-disclosure-debacle\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.629770992366\">\n<div class=\"single-article__header-content\" readability=\"30.834008097166\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/microsoft-coordinated-vulnerability-disclosure-debacle\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> When a researcher went public with Microsoft vulnerabilities, it laid bare a conflict that has never really been solved. <\/p>\n<p>   <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg 2309w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=2048,1152 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-2.jpg?resize=1498,843 1498w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"110.82130413141\"><body readability=\"225.47923491493\"><\/p>\n<p>Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. <\/p>\n<p>The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft <a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/blog\/2026\/05\/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure\">insisted it received no details<\/a> about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk.<\/p>\n<p>The public dispute between Microsoft and the researcher known as \u201c<a href=\"https:\/\/deadeclipse666.blogspot.com\/\">Nightmare Eclipse<\/a>,\u201d who couldn\u2019t be identified or reached for comment, sparked dismay among some security professionals. Microsoft\u2019s forceful response and the resulting backlash revived a friction point between vendors and researchers who find and report flaws in the software they sell.<\/p>\n<p>\u201cThe fight is being argued as coordinated disclosure, but the grievance underneath is personal and specific in a way disclosure shouldn\u2019t be, especially with a vendor that has been at it for so long,\u201d Katie Moussouris, founder and CEO at Luta Security, told CyberScoop.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cMicrosoft seemed to get emotional and shouldn\u2019t have publicly said anything, but somehow felt justified in calling out a researcher and involved law enforcement in the same breath,\u201d she said. \u201cThat puts them right back in the first stages of vulnerability disclosure grief: denial and anger.\u201d<\/p>\n<p>The former longtime Microsoft employee who ran outreach with the security community, created the company\u2019s first bounty program and has given <a href=\"https:\/\/www.youtube.com\/watch?v=T6e70upcfl4\">conference talks on the subject<\/a> as far back as 2013, said the company doubled down on its lack of responsibility in the whole saga.<\/p>\n<p>Microsoft declined to answer questions in the wake of the fallout.<\/p>\n<p>Nightmare Eclipse hinted at a breakdown and impending battle with the vendor in a series of blog posts leading up to Microsoft\u2019s missive about the vulnerabilities <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-41091\">RedSun<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-45498\">UnDefend<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-33825\">BlueHammer<\/a>, <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-45585\">YellowKey<\/a>, GreenPlasma, and MiniPlasma.<\/p>\n<p>Attackers exploited three of the six vulnerabilities Nightmare Eclipse released before they were patched by Microsoft.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The researcher claimed Microsoft refused to communicate, didn\u2019t pay or credit them for discovering and reporting some of the vulnerabilities, deleted the Microsoft Security Response Center account they used to disclose vulnerabilities and flagged their GitHub account for removal. <\/p>\n<p>\u201cYou are proving to everyone that you are actively escalating this conflict,\u201d they wrote, before threatening Microsoft with a release in mid-July that \u201cwill make sure your bones are shattered that day.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-vulnerability-disclosure-is-a-two-way-street\">Vulnerability disclosure is a two-way street<\/h4>\n<p>The characteristics of proper vulnerability disclosure processes are nuanced and often framed in the eyes of the beholder.<\/p>\n<p>Any successful dance between bug hunters and vendors comes down to meeting each other halfway, said Andrew Morris, founder and chief architect of GreyNoise. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While vendors must fix software defects and prioritize security, Morris noted that irresponsible vulnerability disclosure harms both incident responders and potential victims. <\/p>\n<p>\u201cPersonally, I feel like this researcher is being extremely petty. It seems like they have an ax to grind,\u201d he said.<\/p>\n<p>\u201cYou\u2019re not allowed to give somebody something and say it\u2019s out of the kindness of your heart, and then be pissed when they don\u2019t pay you for it.\u201d <\/p>\n<p>But Morris also made clear that vendors bear responsibility for building trust with researchers. <\/p>\n<p>\u201cIf you actually care about being the first one to know about bugs in your software, not learning about it once harm has happened, or once somebody\u2019s gotten popped, then you want to cultivate that trust with the security community,\u201d Morris said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Microsoft said it recognizes that the relationship between security researchers and vendors is critical and, at times, fragile. <\/p>\n<p>\u201cWe deeply value the security community, and will continue to take your feedback seriously,\u201d the company said in its post <a href=\"https:\/\/x.com\/msftsecresponse\/status\/2061293718942908925?s=46&t=dtqCMcf-olK_VbvIvBQlTg\">on X<\/a>. <\/p>\n<p>Yet, the company remains steadfast in opposing the circumstances of Nightmare Eclipse\u2019s disclosures, describing their actions as illegal, unjustifiable and irresponsible. <\/p>\n<p>\u201cWhen an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate,\u201d Microsoft said without naming the researcher by their moniker. \u201cWe continue to believe strongly in coordinated vulnerability disclosure as the foundation for protecting customers and improving our products. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.\u201d<\/p>\n<h4 class=\"wp-block-heading\" id=\"h-the-cost-of-pushback\">The cost of pushback<\/h4>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Security researchers seek out defects for various reasons: bounty payouts, recognition, industry credibility, or simply the thrill of the hunt that comes with finding vulnerabilities and getting them fixed.<\/p>\n<p>At its best, this process happens behind the scenes, with patches released and customers warned before exploitation occurs.<\/p>\n<p>This collaborative approach has taken root and improved considerably, but there are still cases where researchers feel slighted. <\/p>\n<p>\u201cThe public has no idea what went on behind the scenes to judge why a researcher that previously coordinated finally had enough and decided to drop a zero-day [vulnerability],\u201d Moussouris said. As such, she\u2019s less inclined to criticize Nightmare Eclipse\u2019s actions, adding that \u201cthey come off as someone who needs help.\u201d <\/p>\n<p>Yet, trust breaks down between vulnerability researchers and vendors often. Earlier this week, security researcher Ammar Askar claimed his last interaction with Microsoft\u2019s security team was so poor that he decided to publicly disclose any bugs he finds in VS Code going forward. He made good on that threat by<a href=\"https:\/\/blog.ammaraskar.com\/github-token-stealing\/\"> dropping a vulnerability<\/a> and exploit code for a defect that allows attackers to steal GitHub tokens. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While actions like this can sabotage trust and drive a wedge between vendors and vulnerability researchers, recourse to a large extent is limited. Moussouris said most of the time, the legal and ethical boundaries are clear to those involved. Researchers can report bugs, withhold them, sell them, or publish them. \u201cThe one red line is crime: using a flaw to extort or attack people,\u201d Moussouris said. <\/p>\n<p>\u201cThreatening to publish on a set date is a threat to disclose, and disclosure is lawful. You can find the tone ugly. [Nightmare Eclipse] still broke no rule and violated no duty.\u201d <\/p>\n<h4 class=\"wp-block-heading\" id=\"h-the-timing-couldn-t-be-worse\">The timing couldn\u2019t be worse <\/h4>\n<p>Both sides are partly responsible for what happened, but Microsoft made things worse, Morris said. Threatening legal action and taking an aggressive approach have never worked. Building a good relationship between researchers and vendors requires open communication and trust. <\/p>\n<p>\u201cI thought we were past this. It turns out that we are not,\u201d he said. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The Nightmare Eclipse incident comes at a fraught time in this space. Vendors and their customers are confronting a deluge of more vulnerabilities, and the rise of artificial intelligence models that discover them is exacerbating this challenge, leaving <a href=\"https:\/\/cyberscoop.com\/ai-cyberattacks-two-years-insane-vulnerabilities-kevin-mandia-alex-stamos-morgan-adamski-rsac-2026\/\">security experts alarmed about what\u2019s coming<\/a>.<\/p>\n<p>The prospects for where vulnerabilities will be discovered and exploited next, and to what impact, are unknown and wildly unsettling. <\/p>\n<p>These signals imply that the classic, CVE-based system with responsibly disclosed processes is probably broken, Morris said. \u201cThere\u2019s just so many CVEs. It\u2019s like, is this even working anymore?\u201d<\/p>\n<p>For now and despite all its faults, coordinated vulnerability disclosure programs are widely viewed as the most sensible and scalable approach to this dilemma.<\/p>\n<p>\u201cCoordinated disclosure is what happens when a vendor gets lucky. Someone they did not hire hands them a real bug instead of using it or selling it. That puts the whole burden of keeping coordination alive on the vendor,\u201d Moussouris said. \u201cSilent patching with no CVE and calling out researchers who don\u2019t follow your timeline for disclosure squanders the vendor\u2019s luck.\u201d <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>She stressed the stakes: \u201cI hope Microsoft and all vendors learn that coordinated vulnerability disclosure is a gift and a grace from the security researcher community to them, and public disclosure is still better than non-disclosure or crime.\u201d<\/p>\n<p>The alternatives to a deteriorating relationship could wreak havoc and leave every vendor and customer more susceptible to attack. <\/p>\n<p>\u201cIf vendors unlearn how to receive free intellectual property and labor from the security community in the form of vulnerability reports with gratitude, we\u2019re headed for a world where nobody bothers to give vendors any heads up, or they move to a timed disclosure model that gives no grace,\u201d Moussouris said.<\/p>\n<p>She concluded with a direct message: \u201cProduct vendors wrote the vulnerable code, own the risk, and they owe it to their users to do everything in their power to reduce that risk.\u201d That includes \u201ckeeping their grievances to themselves and learning from introspection on coordinated vulnerability disclosure gone wrong.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.1135972461274\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/06\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/microsoft-coordinated-vulnerability-disclosure-debacle\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nightmare Eclipse incident shows the researcher-vendor fights may never fully<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2492,6826,78,4357,6827,625,256,310,288,2281,703,2759,1544,5292,1170],"tags":[2494,6828,86,4359,6829,630,262,311,294,2283,705,2760,1545,5296,1171],"class_list":["post-8721","post","type-post","status-publish","format-standard","hentry","category-bug-bounty","category-coordinated-vulnerability-disclosure","category-cybersecurity","category-greynoise","category-luta-security","category-microsoft","category-research","category-technology","category-threats","category-vulnerability","category-vulnerability-disclosure","category-vulnerability-reporting","category-zero-day","category-zero-day-exploit","category-zero-days","tag-bug-bounty","tag-coordinated-vulnerability-disclosure","tag-cybersecurity","tag-greynoise","tag-luta-security","tag-microsoft","tag-research","tag-technology","tag-threats","tag-vulnerability","tag-vulnerability-disclosure","tag-vulnerability-reporting","tag-zero-day","tag-zero-day-exploit","tag-zero-days"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/bug-bounty\/\" rel=\"category tag\">bug bounty<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/coordinated-vulnerability-disclosure\/\" rel=\"category tag\">coordinated vulnerability disclosure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/greynoise\/\" rel=\"category tag\">greynoise<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/luta-security\/\" rel=\"category tag\">Luta Security<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/microsoft\/\" rel=\"category tag\">Microsoft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/technology\/\" rel=\"category tag\">Technology<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability\/\" rel=\"category tag\">vulnerability<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-disclosure\/\" rel=\"category tag\">vulnerability disclosure<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-reporting\/\" rel=\"category tag\">vulnerability reporting<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-day\/\" rel=\"category tag\">Zero-day<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-day-exploit\/\" rel=\"category tag\">zero-day exploit<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-days\/\" rel=\"category tag\">zero-days<\/a>","tag_info":"zero-days","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8721"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8721\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8721,"date":"2026-06-05T09:48:55","date_gmt":"2026-06-05T14:48:55","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=89315"},"modified":"2026-06-05T09:48:55","modified_gmt":"2026-06-05T14:48:55","slug":"nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/06\/05\/nightmare-eclipse-incident-shows-the-researcher-vendor-fights-may-never-fully-go-away\/","title":{"rendered":"Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away"},"content":{"rendered":"