The second time I did it they contacted my employer directly without even getting back to me saying they were unhappy of me reporting it and wanted to write about it after they fixed the issue.
Since then I decided it’s not worth all the hassle and I will let them be and I can also have a peaceful day.
Traficom's FCSC has been a great asset for white hat security reseachers globally by allowing them to just keep contributing to the common good.
This seems to be a direct link to a web form to report (in English): https://eservices.traficom.fi/ContactForms/form/haavoittuvuu...
In particular, note that all the fields asking for personal information disappear if you select "Yes" in "I am submitting an anonymous tip" field.
The CCC (Chaos Computer Club) in germany will probably do the same.
I'm intrigued by your post -- I used to tell people send things like this to CERT/CC... but it's been so long since I dabbled in that world that my contacts have departed and the current administration is so erratic that paired with Finland's recent rejection of neutrality and ascension into NATO that I would frankly agree that your CERT may be a better fit for the majority of people.
You report yourself to the police for trying to hack into a computer-system and you report yourself to the website that can now decide to sue you.
All of that without any benefits.
I tried three different contacts I could find, only one came back to me and wanted to know what the systems did what the risk was etc. I pointed out I have no idea, and I'm absolutely not logging into mysterious systems to find out - pass it to your own IT so they can see what needs to be changed, rotated etc.
I did eventually get a message back from someone who thanked me for my diligence and said it was solved as they had now removed the photo... I really hope they had someone who understood look at it, but I decided not to engage further...
I was wearing a white hat professionally for quite a while but I can't fault you - at this point trying to be honest and helpful is dangerous. If you decide to sell the vulnerabilities, so be it.
This might not be true of small companies (and is a reason why small companies shouldn't run bug bounty programs), but it is definitely true of FAANG/MAG7-scale companies.
This doesn't mean these bounty programs err on the side of paying out, or that they won't routinely make decisions that will piss you off. It does however work against claims that they're withholding payouts vindictively.
[†] Only hedging because it's been a minute since I've talked to anyone at Microsoft.
[1] - https://www.tomshardware.com/tech-industry/cyber-security/mi...
I'm still far from thinking this is a backdoor. It tricks the boot environment into deleting a file and then it doesn't ask for a password. The exploit is nowhere near bitlocker, the problem is that bitlocker without a boot password requires the whole OS to preserve security from boot through the login screen.
And where's the claimed version that works when a PIN is set?
And then to double down and ban accounts because you'd rather not fix the bureaucracy is really just a bad look. I'm not quite sure why MS is getting the benefit of the doubt from you.
There's something fishy going on with these vulnerabilities. I'm not one for conspiracies but it's not a good look for Microsoft, they are obviously trying to cover something up.
Looks like they're trying to make it disappear, but it's in the wild now.
This exploit is cool but there are similar exploits discovered in any given year and nothing really reeks of a backdoor; this one seems to be gaining attention mostly because Microsoft’s robo-call level initial response caused the researcher to dramatically crash out.
As far as we know, having TPM+Pin or TPM+Startup Key breaks the exploit. TPM only was always known to be basically ineffective against threats like laptop theft, TPM only would only protect you if the drive was stolen out of the machine, which in that case, this exploit also would not work.
On the other side of things, I saw one major program pay out at an inappropriately high tier, over and over again, because a long time ago the researcher had successfully argued that his garden-variety XSS exploit could be used to generate an effect that was listed at a higher payout rate, and then he made sure that whenever he found an XSS, he included a proof-of-concept generating that same effect. Other researchers reporting XSS got the listed XSS rate.
† Actually, I can think of one time. Someone achieved the holy grail and installed a webshell on a company server, which under current guidelines would have been worth more than $10k. However, they didn't uninstall the webshell. They just filed their report and left it up. This enraged the head of the program, who commented specifically that he didn't want to pay out a bounty because of it. I don't recall whether a bounty was ultimately paid or not.
The style is the same, and it appears that SandboxEscaper has previously been fired by MSFT. (they are not dead) https://github.com/BigPolarBear1/The_story
SandboxEscaper, who has not really been very active online, started blogging again right before NightmareEclipse showed up. They've been offering to sell Microsoft related bugs. https://weirdquadratic.blogspot.com
OTOH, there's evidence against my theory in the form of prior tweets by the "ChaoticEclipse0" account, which include references to their age and writing in Moroccoan Darija https://x.com/ChaoticEclipse0/status/1332337678470291459
The twitter account was silent between aug 17 2023 and apr 3 2026, so it's not necessarily the same person using it anymore.
> most expert researchers, all a bit quirky.
Guy finds zero days and gets no compensation. Instead gets banned.
Guy sells zero days elsewhere.
He also got banned from Gitlab, which isn’t related to Microsoft at all.
If researchers stop believing MS will treat them fairly it's bad news for the entire security industry.
Is it really fiscally responsible to tie your company's future to that?
I wonder if anyone tracks metrics for this stuff. Percentage of stuff with a repo there is probably still high, but what's happening with stuff like github actions, and are devs directly pushing to github, or are they just mirroring an internal / other provider's git repo to it?
No problem. The CIA will give it's high level officers millions of dollars in gold bars simply for the asking. I'm sure purchasing exploits doesn't even require a purchase order.
Seems like the gold rush period is over for bounty hunters and its more about who has access to hardware/token capital.
> But to save money, Microsoft fired the skilled people, leaving flowchart followers. I wouldn't be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that's apparently an MSRC requirement now."
If I spent years learning your system, then gift wrapped zero-days that are devastating at multiple levels of your stack for you, and the response was flow chart tech support with a "buy a webcam" cherry on top, I'd be pretty pissed too. The bounties for these (which apparently work, since they're under active exploitation) add up to mid six figures, and, apparently, there's a pile of additional ones in the wings.
Bug bounties are already exploitative (they pay 10x higher wages to people that write the bugs than the people that find them, and finding them is generally much harder).
Breaking trust by refusing to pay up when the issues are filed through official channels is unprofessional and sleazy.
If this researcher actually had a vendetta, I'd expect them to just sell the remaining zero-days to the highest bidder.
How do we know they didn't? It's called zero-day because Microsoft wasn't aware of the exploits until today. It doesn't mean that no other parties have known about them.
I feel safe in saying that they don't want a video of you at your keyboard typing stuff. An exploit video is a recording of your screen, not of you.
selling to the highest bidder doesn’t generate headlines though.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
Probably because they were forced to use MS-DOS when so many better options were killed off by Microsoft's monopolistic and anti-consumer underhanded business tactics...
I might be projecting.
Satya Nadella says as much as 30% of Microslop code is written by AI:
https://www.cnbc.com/2025/04/29/satya-nadella-says-as-much-a...
I'm certain that the multi-trillion dollar company with a history of antisocial and anti-consumer behavior will survive some petty insults.
Though, if people who control purchasing (and/or regulatory) power tend to link increasing use of LLMs and layoffs because "AI means we don't need all those programmers and managers" to substantial and ongoing reductions in quality of the company's software and services, the discussions customers have with MSFT salesfolk may cause the company to "change course", as it were. Intermittent grassroots petty insults are one way to keep folks reminded of the stuff that CEOs and salesfolks would rather you forget.
Actually I was a reference of Microsoft banning people on their Discord.
Because out of top "evil corps" Microsoft seem to have worst PR department.
"But to save money, Microsoft fired the skilled people, leaving flowchart followers."
Flowchart followers.. Now those are nice words to remember. It says it all. Not paid to think, but to follow pre-paved processes. My guess is that in the near future one will have to deal with a lot more flowchart followers, wether they be digital or actual human beings.
Whereas IT/Ops/developers see themselves as artisinal, free thinking, intellectual beings. Where skill is related to shortcuts, hacks, and thinking outside the box compared to following process
In the linked Microsoft blog post, they say :
> The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.
So are they lying ? Why would Nightmare-Eclipse not report them if they are not ?
It's a very weird situation
That statement irks me. Responsible disclosure or not, It's Microsoft themselves that put their customers at risk, not the researcher.
It's not a dichotomy either, they can both have put the customers at risk.
Maybe they're a foreign intelligence cutout masquerading as a burned researcher.
Whoever silently downvoted this, I'd love to hear why you so strongly disagree with my assessment.
https://gitlab.com/nightmare-eclipse
Blocked user @nightmare-eclipse
Looks like they’re banned on GitLab as as well?
I also think it’s funny that people are alleging .gov conspiracies that end in a publicly hosted “blocked user” page instead of just 404-ing or something.
https://github.com/xiaoji235/bitlocker-bypass-tool-for-winre
Unfortunately I don't think there is any way to see a list of all the forks now that the main repo is dead, but you can search the phrase "A huge thanks to MORSE, MSTIC and Microsoft GHOST for making this public disclosure possible" to find more copies.
Make it make sense, Microsoft.
> Although about 3 million computers get sold every year in China, people don't pay for the software. Someday they will, though," Gates told an audience at the University of Washington. "And as long as they're going to steal it, we want them to steal ours. They'll get sort of addicted, and then we'll somehow figure out how to collect sometime in the next decade.
Microsoft's attitude has always been if someone is going to pirate an OS, they'd rather that be Windows than a competitor's platform.
Example: https://lowendbox.com/blog/will-github-ever-remove-this-null...
If my software winds up with a zero day on GitHub, will Microsoft nuke that account, too?
More loosely, the fact that they deem this to be an appropriate action when it comes to their own interests would seem to condemn them if they refuse to take it when it comes to others’ interests, particularly those with whom it has a relationship of trust in any capacity.
I don’t know what’s going on, but given that they’re getting banned from multiple unrelated organizations and threatening to “crush their bones” and such, I suspect this is probably just a regular old case of someone being abusive and unhinged, getting banned because of it, and then claiming conspiracy.
What, exactly, did this person post to GitHub and/or Gitlab that got them banned? We should all know by now that any exploits posted to GitHub are cloned and forked everywhere immediately. Why are these articles so vague about what was posted?
Also, these conspiracy theories that the NSA or other .gov is forcing this are quite ridiculous, as it would be infinitely easier for them to just hand the guy a pile of money than to Streisand effect it with a visibly unhinged guy talking about dead man’s switches and crushing bones.
While they may have violated various TOS, it's my understanding that dropping a zero day like one would drop the mic at the end of an epic rant is not inherently illegal.
Maybe don't piss off your betters?
the bugs he is publishing are exactly the class of bugs that they would love to buy
MS owns GH. It's tonedeaf and criminal
Hasn't that been their MO since the start? Absolutely scummy company.
Microsoft is playing with fire against a researcher that has a track record of finding 0 days out of thin air. Quite a dumb thing to do.
This researcher should instead pivot to crypto smart contract bounties instead. A much larger payout there instead of compaines like Microsoft.
I'm mostly joking here, but Microsoft is one of few companies that handle cyber security in a way that really incentive people to not report them.
it's either by downplaying impact and not paying or paying very little or doing other researcher hostile activities.
especially that someone here mentioned some time ago that black market pays about 3x for the same class of vulnerability, so you need fairly high moral standards to go direct way
>It's a private company. They can do what they want.
>Freedom of speech isn't freedom from consequences.
>Build your own github.
Did I miss any?
Almost like trying to censor leakef HDCP key.
Microsoft's stance on zero day exploits is a dumpster fire of their own making