Microsoft removes GitHub account over public zero-day drops

What happened

Microsoft deleted the GitHub account of security researcher Chaotic Eclipse (aka Nightmare-Eclipse) after he publicly disclosed multiple zero-days targeting Microsoft products without following CVD (Coordinated Vulnerability Disclosure — the practice of privately notifying the vendor before going public, giving them time to patch).

Shortly after, Microsoft published an official statement strongly endorsing CVD, urging the research community to give vendors time to understand impact and develop fixes before public disclosure.

The structural problem: Microsoft has owned GitHub since 2018. Using that platform to suspend the account of someone disclosing bugs in Microsoft's own products is a direct conflict of interest — not neutral platform policy enforcement.

Full technical details of the specific vulnerabilities haven't been fully released yet. What's clear is the researcher chose complete public disclosure — likely after receiving no response or an inadequate response from the vendor.

Why it matters

The full disclosure vs CVD debate isn't new, but this case has three distinct characteristics:

1. The vendor is also the platform. Microsoft can patch or ignore a vulnerability — and also delete the account of the researcher who published it. That asymmetric power didn't exist a decade ago. 2. Real chilling effect. Other researchers will think twice before publishing Microsoft zero-days on GitHub, regardless of whether they followed CVD correctly. 3. CVD's legitimacy as a bilateral agreement. When a vendor uses platform leverage to coerce researchers, it undermines the premise that CVD is a fair, good-faith process between equals.

The industry benchmark is Google Project Zero's 90-day window: if the vendor doesn't act within that timeframe, public disclosure is legitimate. Whether that timeline was followed here remains unknown.

What to do

• If you're a researcher: document every step of the disclosure process — timestamps, emails, vendor responses — before publishing anything. That paper trail protects you legally and professionally.
• If you publish on GitHub: remember Microsoft owns it. For sensitive disclosures targeting Microsoft products, consider neutral platforms: your own blog, the FullDisclosure mailing list, or independent vulnerability databases.
• If you run a SOC (Security Operations Center — the team that monitors and responds to security incidents): monitor full-disclosure channels even when no CVE is assigned. Zero-days without CVEs are visible before any patch exists.
• Review GitHub's Acceptable Use Policy before publishing vulnerability research on any company that owns infrastructure on the platform.

Microsoft is entitled to advocate for CVD. What it can't do credibly is defend a good-faith disclosure process while simultaneously using its ownership of the world's largest code platform as a coercion tool.