Skip to main content
CybersecurityVulnerability Management

Microsoft Decries Uncoordinated Zero-Day Disclosures

Empty conference room with podium, rows of chairs, and laptops on tables.

"These 'uncoordinated disclosures put our customers at unnecessary risk,'" Microsoft wrote in a bulletin published on May 27, sharply criticizing researchers who made vulnerabilities public before patches were available and without prior notice.

Six Microsoft zero days identified by name and CVE

The bulletin named six vulnerabilities Microsoft said “were not responsibly disclosed.” The items listed were:

  • ‘Red Sun’ (CVE-2026-41091): a privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
  • ‘BlueHammer’ (CVE-2026-45498): a privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
  • ‘YellowKey’ (CVE-2026-45585): a security feature bypass vulnerability in Windows BitLocker (CVSS: 6.8)
  • ‘Undefend’ (CVE-2026-45498): a denial-of-service vulnerability in Microsoft Defender (CVSS: 4.0)
  • ‘GreenPlasma’: a privilege escalation vulnerability in Windows BitLocker
  • ‘MiniPlasma’: a privilege escalation vulnerability in the Windows Cloud Filter driver

Microsoft said the immediate public disclosures occurred before patches were ready and described the incident as putting customers at “unnecessary risk.”

Microsoft's response: investigation, mitigations and patch work

Microsoft said its security teams “have been working around the clock” to investigate these vulnerabilities, develop mitigation measures and work on security patches. The company warned that the rogue disclosures can “put proof-of-concept [exploit] code for unpatched vulnerabilities into the hands of bad actors,” a step it called “never justifiable.”

Microsoft also stated: “We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem.”

Coordinated Vulnerability Disclosure and the 90-day embargo

The bulletin urged security researchers to follow industry-standard coordinated vulnerability disclosure (CVD) procedures, in which the finder and the owner of the vulnerable product agree an embargo period — typically 90 days — to allow the vendor time to develop and push patches before the vulnerability is made public.

Microsoft described what researchers gain under CVD: credit for the finding and compensation for their contributions. The company said CVD processes are used through bug bounty programs, crowd-sourced bug hunting platforms and spontaneous vulnerability reporting activities. “Every year, we work with hundreds of security researchers through CVD,” Microsoft noted.

Microsoft framed the partnership as protective: “This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors. Through this valuable partnership we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise.” The bulletin closed that sentiment with: “We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”

AI acceleration cited as pressure on the 90-day rule — Claude Mythos and GPT5.5-Cyber

The bulletin noted a contemporaneous industry debate: “prominent voices in the cybersecurity industry have started to warn that the traditional CVD model must be reimagined, with some declaring that the standard 90-day embargo is effectively dead.” Experts, Microsoft said, argue disclosure windows must shrink in response to a “massive acceleration of vulnerability research” driven by advanced AI tools, explicitly naming Anthropic’s Claude Mythos and OpenAI’s GPT5.5-Cyber.

What this means for security researchers, affected enterprises, and adversaries

  • Security researchers: Microsoft urged adherence to CVD procedures to secure credit and compensation and to avoid public disclosures that the company argued could enable exploitation before patches are available.
  • Affected enterprises and security teams: Microsoft’s statement signals ongoing mitigation work and patch development led by its security teams; organizations should expect vendor-driven updates as Microsoft completes its investigations.
  • Adversaries and bad actors: Microsoft explicitly warned that uncoordinated disclosures can place proof-of-concept exploit code into malicious hands, increasing the short-term risk to unpatched systems.

The bulletin frames a clear tension: Microsoft pressing for adherence to a 90-day CVD rhythm while other experts call for shorter windows as AI speeds research and exploitation. Whether CVD timelines will change in practice — and how vendors, researchers and defenders will reconcile rapid discovery with patch timelines — remains the concrete policy and operational question implicit in Microsoft’s May 27 advisory.

Original story: Infosecurity Magazine