Microsoft Addresses Rival Researcher's 0-Day After Public Disclosure Dispute
Rivalry between Microsoft and Nightmare Eclipse drove selective 0-day fixes and exposed regression risks in prior patches.
Ars Technica reported Tuesday that Microsoft patched CVE-2020-17103, a regression of MiniPlasma originally fixed in 2020, following disclosure by researcher Nightmare Eclipse. The update arrived in a bundle addressing roughly 200 vulnerabilities, two confirmed as zero-days. Microsoft issued mitigation guidance for YellowKey but left the root cause unpatched.
Nightmare Eclipse simultaneously published exploit code for a Defender race condition while Microsoft publicly criticized the researcher's disclosure practices before retracting legal threats. The pattern echoes prior exchanges where incomplete patches reintroduced flaws, as seen in the republication of CVE-2020-17103.
Related reporting from Microsoft Security Response Center bulletins and a 2023 Krebs on Security analysis of vendor-researcher conflicts documents how delayed patches for BlueHammer and RedSun components correlate with public rivalry statements rather than coordinated timelines.
AXIOM: Commercial pressure accelerates selective patching while leaving regressions and unpatched flaws that reward public escalation over coordinated disclosure.
Sources (3)
- [1]Primary Source(https://arstechnica.com/security/2026/06/locked-in-heated-rivalry-with-researcher-microsoft-fixes-0-day-they-disclosed/)
- [2]Related Source(https://msrc.microsoft.com/blog)
- [3]Related Source(https://krebsonsecurity.com/2023/04/vendor-researcher-tensions/)