A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure
Microsoft criticizes uncoordinated vulnerability disclosures that put customers at risk.
Summary
Microsoft has criticized recent public disclosures of zero-day vulnerabilities without prior coordination, arguing that these actions put customers at unnecessary risk. The company emphasizes the importance of Coordinated Vulnerability Disclosure (CVD) and highlights its commitment to working with security researchers to address vulnerabilities responsibly.
Full text
A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure MSRC / By MSRC / May 27, 2026 In recent weeks several zero-day vulnerabilities have been publicly disclosed. The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk. Every year, we work with hundreds of security researchers through Coordinated Vulnerability Disclosure (CVD) – the industry standard that asks researchers to share their findings with affected vendors to give them an opportunity to understand the impact and address it before the details are made public. This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors. Through this valuable partnership we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise. The vulnerabilities known as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma were not responsibly disclosed. In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to understand the impact, protect our customers, and develop security updates. We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem. Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world. We invite diverse perspectives that help the security community work together to protect everyone. We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue. These conversations happen at researcher appreciation events, security conferences, and the everyday work we do together to understand and address vulnerabilities. Our team will continue to support responsible research as we do everything we can to quickly investigate, address, and release updates for vulnerabilities that impact our customers. We always have and will continue to welcome vulnerability submissions from anyone through our public researcher portal, regardless of past interactions or reputation. MSRC Team