A hot potato: A recently disclosed Windows vulnerability is drawing scrutiny for both its technical impact and the fallout between the researcher who exposed it and Microsoft. The situation has since expanded to include claims from the researcher that Microsoft ignored their reports and retaliated after the exploit was made public.

The issue centers on a zero-day exploit called "YellowKey," published earlier this month by a security researcher known as Chaotic Eclipse, also known online as Nightmare-Eclipse. The proof of concept demonstrates a method for accessing BitLocker-encrypted drives on Windows 11 using a USB device.

Notably, the researcher says the same method does not work on Windows 10, raising questions about differences in how the two operating systems handle disk encryption. Chaotic Eclipse said they could not identify any explanation for the behavior other than it being intentional.

BitLocker is widely used to secure data at rest, often tying disk encryption keys to the TPM and pre-boot integrity checks. A bypass that can be triggered externally suggests a weakness somewhere in the early boot chain or in how encryption keys are accessed during startup. While Microsoft has not published detailed technical information, the existence of a working exploit makes this a practical risk rather than a theoretical one.

Microsoft has acknowledged the flaw and assigned it CVE-2026-45585. The company says it is tracking the issue and has released mitigation guidance, though a full fix has not yet been detailed. It also criticized the way the vulnerability was disclosed, stating: "The proof of concept for this vulnerability has been made public, violating coordinated vulnerability disclosure best practices."

What might have remained a routine security disclosure has since escalated. Chaotic Eclipse's GitHub account was reportedly banned by Microsoft, forcing the researcher to move their work to GitLab. The researcher also claims their Microsoft account – which was used to submit vulnerability reports – was deleted.

In a blog post, Chaotic Eclipse described the situation in personal terms. "So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people," they wrote. They added: "You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot."

The dispute appears tied to Microsoft's bug bounty program, which is run through the Microsoft Security Response Center. Payouts can range from $30,000 to $100,000 for endpoint zero-days and can go even higher for more complex findings, depending on severity and report quality. Chaotic Eclipse claims their submissions did not result in any compensation, despite identifying multiple zero-day vulnerabilities.

The researcher also framed the public release of YellowKey as a deliberate decision. "I could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft," they wrote.

Since then, the tone has grown more confrontational. In the same blog post, the researcher warned: "Mark this date, July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances)." The statement has been interpreted as a possible threat of further disclosures, akin to a "dead-man switch."

They also claimed, "[they were] told personally by [Microsoft] that they will ruin my life and they did," though there has been no independent confirmation of that allegation.

Microsoft has not publicly addressed those claims. Beyond confirming the vulnerability and issuing mitigation guidance, the company has remained silent on the broader dispute.

For now, the technical issue is mitigable but still unresolved. The larger story reflects a familiar tension within the security industry: disclosure rules, financial incentives, and platform control often collide, and when they do, the public conflict can overshadow the technical issue itself.