Microsoft Condemns 6 Zero-Day Disclosures as 90-Day Bug-Reporting Rule Faces Pressure
Updated
Updated · Infosecurity Magazine · May 29
Microsoft Condemns 6 Zero-Day Disclosures as 90-Day Bug-Reporting Rule Faces Pressure
3 articles · Updated · Infosecurity Magazine · May 29
Six unpatched flaws in Microsoft Defender, BitLocker and the Windows Cloud Filter driver were publicly disclosed without prior notice, prompting Microsoft to say the releases exposed customers before mitigations or patches were ready.
Microsoft said the disclosures handed proof-of-concept exploit code to bad actors and forced its security teams to work "around the clock" on investigations, mitigations and fixes.
A researcher claiming responsibility for the six bugs alleged Microsoft deleted their disclosure account, withheld compensation, defamed them in an advisory and threatened them; those claims were not verified.
Ninety-day coordinated disclosure is now under strain as AI speeds vulnerability discovery, with security experts arguing timelines may need to shrink sharply for flaws already exploited or likely to be weaponized quickly.
The debate is widening beyond Microsoft: some researchers still back coordinated disclosure, but others point to faster threat cycles and rules such as the EU Cyber Resilience Act's 72-hour notification window.
When a researcher exposes unpatched flaws, who is the bigger threat to public safety: the whistleblower or the corporation?
Is Microsoft using legal threats to protect users, or is this another case of a tech giant silencing its critics?
Uncoordinated Zero-Day Disclosures Expose Millions: The 2026 Nightmare-Eclipse vs. Microsoft Conflict and Its Fallout
Overview
Between May and July 2026, Nightmare-Eclipse publicly disclosed several critical Windows vulnerabilities, including YellowKey, GreenPlasma, and MiniPlasma, without coordinating with Microsoft. This triggered a crisis in the cybersecurity community, as these flaws—especially MiniPlasma, which allows attackers to gain SYSTEM privileges on fully updated Windows 11 systems—remained unpatched and were quickly confirmed by independent researchers. The uncoordinated disclosures led to bans on code-sharing platforms and heightened tensions between researchers and Microsoft, highlighting the risks to end-users and the urgent need for better collaboration and trust in vulnerability reporting.