Looks like Nightmare Eclipse is in his limit.

If that's the case, thank you for your service, exposing how shitty MSRC is.

And how broken responsible disclosure in general.

I hope you get your justice, and we can improve as industry moving forward.

#cybersecurity #infosec #nightmareEclipse #windows #msrc

Another bitlocker vuln from yours truly, now called GreatXML.

Details below are copy pasted from NightmareEclipse readme:

Steps to reproduce:

1. If defender offline scan was initiated in the victim machine at any point then there is no need to login, the machine is automatically vulnerable. You will have to copy "unattend.xml" and "Recovery" directory to the root of the recovery partition then reboot to WinRE using shift + click on restart button, if everything was done correctly, a shell with unrestricted access to the bitlocker volume will spawn.

2 .If defender offline scan was never initiated then you have to either login and initiate it yourself or figure out a way to boot into WinRE in offline scan state (I believe it should be very possible to do so without logging in) and follow steps above.

Source and repo list:

https://deadeclipse666.blogspot.com/2026/06/greatxml-bitlocker-that-seems-to-only.html
https://github.com/MSNightmare/GreatXML

https://git.projectnightcrawler.dev/NightmareEclipse/GreatXML

https://git.churchofmalware.org/Nightmare_Eclipse/GreatXML

#cybersecurity #infosec #nightmareEclipse #greatxml #windows #zeroday #vulnerability #msrc

RE: https://mastodon.social/@campuscodi/116683170926460055

Microsoft would like to know:

How are you enjoying our Copilot for #MSRC ?

So Jericho weighed in on the Microsoft #MSRC anno 2026 version of the full disclosure vs CVD debate: https://jericho.blog/2026/05/31/msrc-tell-the-whole-story-please/

His blog doesn't have a share to Masto button sigh, but does have nazi sites.

We will come to a point where you will make more money exploiting an undisclosed CVE than trying to parley with Microsoft Security Response Center.

https://www.youtube.com/watch?v=9kxx5xp5nTQ

You can make their team moving by simply disclosing publicly.

Or better, you don't use Microsoft products.

#Technology #CyberSecurity #CVE #Programming #Coding #Code #Security #Microsoft #MSRC #GitHub #NightmareEclipse

lmao, what is this shitty response MSRC.

We do not need corporate yapping like that. Cybersec people are mostly fulled with engineers.

People do not care with "we see" the complain, we need action.

Say what you will do:
For example "ok, researcher can drop their PoC in a week, should we failed to give decision on what to do" or "okay, we will expand our work framework on both side, so people can treated equally".

Full transcript:
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.

To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.

We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.

Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.

The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.

#cybersecurity #infosec #drama #msrc #midnighteclipse

I knew eventually companies would turn on bug bounty programs. We went long enough for the collective memory of management to forget the chaos of Full Disclosure and the absolute hell of playing patch whack-a-mole.

It's funny watching them use the same language and legal threats that eventually got us to bug bounty programs in the first place.

Plus ça change...

#msrc

How a Microsoft 365 Copilot Flaw Turned Diagrams Into Data-Stealing Traps

#CyberSecurity #AI #Microsoft #InfoSec #M365Copilot #Vulnerability #DataBreach #Microsoft365 #AISafety #PromptInjection #DataSecurity #TechNews #MSRC #AIsecurity #EnterpriseIT

https://winbuzzer.com/2025/10/27/now-patched-microsoft-365-copilot-flaw-turned-diagrams-into-data-stealing-traps-xcxwbn