Microsoft Stands Firm on Public Disclosure Policy as Risk of Zero-Day Vulnerabilities Multiplies

Microsoft has long taken issue with public disclosure of zero-day vulnerabilities, instead pushing for an industry standard of Coordinated Vulnerability Disclosure (CVD). Questions have been raised about the feasibility of continuing CVD as a policy in the forthcoming age of AI models like Mythos, which threaten to expose a target’s vulnerabilities in just minutes.

After a string of public disclosures of serious zero-day vulnerabilities in Windows, Microsoft appears to have committed even more strongly to its current approach. The company has raised some hackles with its treatment of researcher Chaotic Eclipse, who has subsequently threatened to publicly disclose even more serious bugs in sync with a scheduled “Patch Tuesday” in July. The debate brings to the forefront not just what rights and responsibilities organizations have to respond to good-faith ethical disclosures, but also whether CVD windows that can potentially last months are going to be feasible when the new frontier AI models become available in the very near future.

Microsoft asserts public disclosure rights, but threats turn off security community

The researcher asserts that they approached Microsoft privately with the zero-day vulnerabilities ahead of their public disclosure, but the company was not interested in listening to them. Microsoft, in turn, has said that the researcher’s actions are “unacceptable” and even “criminal” in providing attackers with a road map to immediate use of the vulnerabilities. Microsoft has patched the most serious of them at this point, but in some cases it did take some time to do so while the vulnerabilities wound up on the KEV list.

The researcher echoes complaints about Microsoft’s bug reporting and bounty programs that go back years now: they may not listen, they may seem to not listen but then quietly fix the bug with no acknowledgement later, or they may demand an absurd amount of screenshots and videos to make it through automated gatekeepers. But Microsoft also has a valid point in that independent public disclosure led to an attack period that might have been avoided.

Microsoft has taken their crusade against the researcher farther than usual, however. They not only closed their MSRC account and took down their GitHub, but also likely exercised some influence over partner GitLab in blocking a port of it. The use of “criminal” also suggests the possibility of charges, though this is a very controversial area and one in which companies have not had much success against researchers that can demonstrate good faith in identifying damaging zero-day vulnerabilities.

And while it may seem like a personal spat, the promise of more (and worse) zero-day vulnerabilities in July could very well impact a broad range of Windows users. There is also the issue of whether Microsoft’s CVD and public disclosure policies can even survive Mythos and contemporaries. 90 days to resolve an issue is simply not feasible when frontier AI models are uncovering new vulnerabilities around the clock, something that might be normalized in under a year.

Zero-day vulnerabilities began dropping in April

The researcher has now dropped a total of six zero-day vulnerabilities since April. It is unclear if they plan to release any more before the threatened public disclosure in July. Collectively the three vulnerabilities have targeted Microsoft Defender and Windows built-in encryption tool BitLocker.

It also remains unclear how Microsoft will shift its strategy (if at all) to account for Mythos and its contemporaries. The researcher has claimed they will “shatter the company’s bones” with the July release, but whether or not that happens it could happen later if the company cannot adjust to rapidly-developing frontier models. A remediation time of 90 days is potentially long enough for a new model to be developed and released in the interim.