In a new bulletin, Microsoft has criticized security researchers for publicly reporting vulnerabilities in the company’s products before patches were available and without prior notice.
These “uncoordinated disclosures put our customers at unnecessary risk,” the tech giant said.
Six Microsoft Zero Days Disclosed Before Patches
The statement, published on May 27, mentioned six vulnerabilities that “were not responsibly disclosed.” These are:
- ‘Red Sun’ (CVE-2026-41091): a privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
- ‘BlueHammer’ (CVE-2026-45498): another privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
- ‘YellowKey’ (CVE-2026-45585): a security feature bypass vulnerability in Windows BitLocker (CVSS: 6.8)
- ‘Undefend’ (CVE-2026-45498): a denial-of-service vulnerability in Microsoft Defender (CVSS: 4.0)
- ‘GreenPlasma,’ a privilege escalation vulnerability in Windows BitLocker
- ‘MiniPlasma,’ a privilege escalation vulnerability in the Windows Cloud Filter driver
Because of these uncoordinated disclosures, Microsoft security teams “have been working around the clock” to investigate these vulnerabilities and develop mitigation measures and work on security patches.
Meanwhile, the rogue disclosures allowed to “put proof-of-concept [exploit] code for unpatched vulnerabilities into the hands of bad actors,” which Microsoft said is “never justifiable.”
“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” the company said.
Microsoft Urges Responsible Disclosures
The company encouraged security researchers to follow industry standard coordinated vulnerability disclosure (CVD) procedures, where a vulnerability finder and the owner of the vulnerable products convene an embargo period – typically 90 days – to allow the latter to develop patches before the vulnerability is made public.
In exchange, the researcher typically gets credited for finding the vulnerability and is compensated for their contribution.
Read more: How to Disclose, Report and Patch a Software Vulnerability
CVD processes have typically been adopted through bug bounty programs, crowd-sourced bug hunting platforms and spontaneous vulnerability reporting activities.
“Every year, we work with hundreds of security researchers through CVD,” noted Microsoft.
“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors. Through this valuable partnership we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise,” the company added.
“We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”
AI Boom Puts 90-Day Disclosure Rule Under Pressure
Recently, however, prominent voices in the cybersecurity industry have started to warn that the traditional CVD model must be reimagined, with some declaring that the standard 90-day embargo is effectively dead.
Experts argue that these disclosure windows must drastically shrink to adapt to the massive acceleration of vulnerability research driven by advanced AI tools like Anthropic’s Claude Mythos and OpenAI’s GPT5.5-Cyber.
Read now: What Fronter AI Models Like Mythos and GPT-Cyber Mean for Modern Cybersecurity
