Windows Central Insider
Earlier this month, security sleuth and researcher "Chaotic Eclipse" (also known as Nightmare-Eclipse) published a zero-day exploit known as YellowKey, which allowed them to access BitLocker-protected drives on Windows 11 with a simple USB key. "Just can't come up with an explanation besides the fact that this was intentional. Also, for whatever reason, only Windows 11 (+Server 2022/2025) is affected; Windows 10 is not," they explained.
Last week, Microsoft publicly acknowledged awareness of the security feature bypass vulnerability in Windows. It further disclosed that it is tracking the YellowKey zero-day exploit under CVE-2026-45585 and shared mitigation measures to prevent it from gaining unauthorized access to protected drives. "The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices," the company added.
After claiming that a backdoor into Windows 11's BitLocker is by design, the security sleuth's GitHub account has since been banned by Microsoft over unspecified reasons, forcing them to transition to GitLab (via Tom's Hardware).
Interestingly, it appears that the company deleted Chaotic Eclipse's Microsoft account, which they had used to report the bugs. Eclipse described Microsoft's actions as "vindictive." In a detailed blog post, they indicated: "So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people."
"You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot."
"Now you take the courtesy to flag my GitHub account and wipe it out of the public, just like that? You are proving to everyone that you actively escalating this conflict but I'm done begging you."
"I might sound like crazy idiot who is whining around but I have proof for every single word I said, I just can't release it yet. Why? Microsoft still has chains in my hands; it's been like this for years, and I just can't stay silent anymore. I hope I can release the documents soon."
"Mark this date, July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances)."
The bone of contention between the security sleuth and Microsoft seems to stem from unpaid bounties from the MSRC program. Nightmare-Eclipse indicated that Microsoft gave a deaf ear to their communication attempts and that they "got zero pennies from doing so."
Microsoft's MSRC (Microsoft Security Response Center) program pays between $30,000 to $100,000 for per endpoint zero-day, depending on the conditions. The figure could shoot to $250,000 if you can bypass Hyper-V.
Microsoft considers several factors when rewarding security researchers for disclosing critical vulnerabilities, including the severity of the issue, the ease of reproduction and weaponization, and the overall quality of the report — from clear documentation to a working proof-of-concept.
As such, it seems that Eclipse could be implying that Microsoft ignored and refused their zero-day reports. Another scenario would be that the company refused to pay the bounty to the security sleuth, who has already uncovered six zero-day exploits.
When publishing the YellowKey zero-day exploit, Eclipse indicated that they "could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft."
But as it now seems, Eclipse might be planning a more sinister and concerning vendetta against Microsoft on July 14:
"Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances)," the researcher added. This seems to be a response in their blog post claiming, "[they were] told personally by [Microsoft] that they will ruin my life and they did", that there's a dead-man switch of some sort, and that they "will make sure [Microsoft's] bones are shattered."
To that end, Microsoft has remained silent on the matter, leaving me to wonder whether Eclipse’s claims hold true or if the researcher simply failed to meet the MSRC program’s exact requirements for receiving a bounty reward on critical vulnerability disclosures. I'll keep a close eye on this situation as it unfolds, update this story, and follow up with any new details to keep you in the loop.
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
