In a new bulletin, Microsoft has criticized security researchers for publicly reporting vulnerabilities in the company’s products before patches were available and without prior notice.

These “uncoordinated disclosures put our customers at unnecessary risk,” the tech giant said.

Six Microsoft Zero Days Disclosed Before Patches

The statement, published on May 27, mentioned six vulnerabilities that “were not responsibly disclosed.” These are:

• ‘Red Sun’ (CVE-2026-41091): a privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
• ‘BlueHammer’ (CVE-2026-45498): another privilege escalation vulnerability in Microsoft Defender (CVSS: 7.8)
• ‘YellowKey’ (CVE-2026-45585): a security feature bypass vulnerability in Windows BitLocker (CVSS: 6.8)
• ‘Undefend’ (CVE-2026-45498): a denial-of-service vulnerability in Microsoft Defender (CVSS: 4.0)
• ‘GreenPlasma,’ a privilege escalation vulnerability in Windows BitLocker
• ‘MiniPlasma,’ a privilege escalation vulnerability in the Windows Cloud Filter driver

Because of these uncoordinated disclosures, Microsoft security teams “have been working around the clock” to investigate these vulnerabilities and develop mitigation measures and work on security patches.

Meanwhile, the rogue disclosures allowed to “put proof-of-concept [exploit] code for unpatched vulnerabilities into the hands of bad actors,” which Microsoft said is “never justifiable.”

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” the company said.

Microsoft Urges Responsible Disclosures

The company encouraged security researchers to follow industry standard coordinated vulnerability disclosure (CVD) procedures, where a vulnerability finder and the owner of the vulnerable products convene an embargo period – typically 90 days – to allow the latter to develop patches before the vulnerability is made public.

In exchange, the researcher typically gets credited for finding the vulnerability and is compensated for their contribution.

Read more: How to Disclose, Report and Patch a Software Vulnerability

CVD processes have typically been adopted through bug bounty programs, crowd-sourced bug hunting platforms and spontaneous vulnerability reporting activities.

“Every year, we work with hundreds of security researchers through CVD,” noted Microsoft.

“This partnership allows us to make updates to impacted services before proof-of-concept code can make it into the hands of bad actors. Through this valuable partnership we also ensure researchers are compensated for their responsible disclosures and publicly acknowledged for their expertise,” the company added.

“We realize that we will not always agree on everything, but we are committed to transparency and continue to create opportunities for dialogue.”

In a series of blog posts, an individual claiming to be behind the six vulnerabilities mentioned in the Microsoft bulletin, alleged that Microsoft deleted their disclosure account, never compensated them, defamed them in an advisory and threatened them.

These claims have not been verified at the time of writing.

AI Boom Puts 90-Day Disclosure Rule Under Pressure

Recently, however, prominent voices in the cybersecurity industry have started to warn that the traditional CVD model must be reimagined, with some declaring that the standard 90-day embargo is effectively dead.

Experts argue that these disclosure windows must drastically shrink to adapt to the massive acceleration of vulnerability research driven by advanced AI tools like Anthropic’s Claude Mythos and OpenAI’s GPT5.5-Cyber.

Speaking to Infosecurity, Josh Bressers, VP of security at Anchore, said if CVD is not dead, it is not healthy.
“CVD has always been a human-heavy process. But now, vulnerabilities are scaling exponentially – even before the onslaught of AI – yet most of our security teams have been flat for a long time. At best you might see them scale linearly,” he noted.

For Patrick Garrity, vulnerability researcher at VulnCheck, the CVD procedure is still valuable and necessary and the 90-day window can still be relevant in many cases, but  in some situations, like “when exploitation is already occurring in the wild or is highly likely,” timelines may need to accelerate significantly.

Jerry Gamblin, founder of RogoLabs and former principal engineer for threat detection & response at Cisco, believes in the usefulness of CVD but is more sceptical about the future of the 90-day window.

“It was designed for a world where weaponizing a vulnerability took weeks. The defender window hasn't just shrunk; in many cases it's inverted,” he said.

Bressers believes there will need to be better collaboration between open-source contributors, security researchers and industry. “Historically security people haven't worked well with others, the secrecy was paramount. But that secrecy also made handling vulnerabilities very resource intense for everyone involved,” he added.

“Regulators may have already answered the question for us,” said Gamblin.

“The EU Cyber Resilience Act requires a 72-hour notification window, and if that becomes the global baseline, the 90-day standard starts to look like a relic,” he noted.

“The answer isn't abandoning coordination. It's tiering the timeline to match actual threat velocity: seven days for actively exploited critical vulnerabilities, 90 days as a ceiling for lower-severity findings, with vendor responsiveness as the deciding variable. I'm sure we will figure it out, but not before there is pain and suffering.”

This article was updated on May 29 to mention the allegations of an individual claiming to be behind the finding of the six vulnerabilities in question and add comments from vulnerability research experts.

Read now: What Fronter AI Models Like Mythos and GPT-Cyber Mean for Modern Cybersecurity