GitHub bans security researcher who posted zero-day Windows exploits
Platform bans and possible coordination
- Original article notes the researcher was banned from GitHub; commenters confirm the same account is blocked on GitLab.
- Some infer Microsoft pressure on GitLab or government involvement; others call this pure speculation and ask for evidence.
- Alternative explanations suggested: straightforward ToS violations (threats, violent language) or legal pressure from lawyers.
- Several people highlight that forks of the exploit repo remain on GitHub, which weakens the theory that the purpose was to suppress code.
Researcher behavior and reliability
- Many describe the researcher as unstable or “unhinged,” citing threats like “crushing bones” and dead‑man‑switch talk.
- Others push back, saying we should first understand what they experienced (e.g., unpaid bounties, homelessness) before judging their reaction.
- There is debate about whether this is a genuine whistleblower wronged by Microsoft or an abusive individual framing it as persecution.
- Some note similarities with an earlier prolific Windows 0‑day dropper, but there is no consensus they are the same person.
Bug bounty trust and incentives
- Several comments claim Microsoft mishandled prior vulnerability reports: robotic triage, insistence on exploit videos, and allegedly not honoring published bounty tiers.
- Others with bug bounty experience say big vendors are usually strongly incentivized to pay, and systematic stinginess is unlikely.
- There’s broad agreement that if researchers stop trusting Microsoft’s process, more bugs will be sold privately to states or brokers, which is bad for users but good for the gray market.
BitLocker / “YellowKey” exploit discussion
- Exploit appears to be a BitLocker boot/authentication bypass, not a cryptographic break; typically requires the original hardware/TPM.
- Some see it as strong evidence of a deliberate backdoor for intelligence agencies; others argue it resembles yet another post‑boot bypass class and doesn’t prove intent.
- There’s confusion around whether it works when PINs/startup keys are used; claims exist but code may have been removed with the bans.
Broader themes: platforms, law, and disclosure
- Concern about Microsoft’s conflict of interest owning GitHub and selectively banning Windows‑focused researchers.
- Worry that this sets expectations GitHub will police 0‑days for all vendors, not just Microsoft.
- Multiple anecdotes say responsible disclosure is risky (legal threats, police, employer blowback), pushing people either to silence or to selling exploits.
- Some propose using state or NGO intermediaries for anonymous disclosure; others are skeptical, depending on jurisdiction and trust in government.