Microsoft has voiced strong support for Coordinated Vulnerability Disclosure (CVD), encouraging researchers to share their discoveries with affected vendors in advance. This approach allows companies to assess and address issues before the vulnerabilities become public knowledge.
Public Disclosure of Zero-Day Vulnerabilities
The statement from Microsoft follows the actions of a researcher known as Chaotic Eclipse, who revealed several zero-day vulnerabilities in various Windows components, including Defender and BitLocker. The researcher criticized Microsoft’s handling of the disclosure process, leading to the public release of these vulnerabilities.
Microsoft expressed concern over these disclosures, stating, “In recent weeks, several zero-day vulnerabilities have been publicly disclosed without prior communication with Microsoft. This exposure puts our customers at unnecessary risk.”
Active Exploitation and Response
The vulnerabilities identified include BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), UnDefend (CVE-2026-45498), YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma. Among these, BlueHammer, RedSun, and UnDefend are reportedly being actively exploited.
Microsoft’s security teams are working tirelessly to understand the implications of these vulnerabilities, protect users, and develop necessary security updates. The company strongly opposes the release of proof-of-concept code for unpatched vulnerabilities, emphasizing the potential real-world consequences when such information is misused.
Calls for Dialogue and Cooperation
Microsoft emphasized the importance of diverse perspectives in enhancing security, stating, “We welcome different viewpoints that foster collaboration within the security community to protect everyone.” The company reiterated its commitment to transparency and dialogue through various avenues, including researcher appreciation events and security conferences.
As a result of the disclosures, GitHub has removed Chaotic Eclipse’s account, and although the exploit code was reposted on GitLab, this account has also been restricted.
Researcher’s Response and Future Actions
The researcher, in a public post, criticized Microsoft’s response to their communication efforts, alleging defamation and unfair treatment. They highlighted an advisory related to CVE-2026-45585 and claimed that their account was unjustly deleted.
The researcher announced plans to release further information on July 14, 2026, hinting at significant future developments. This ongoing situation underscores the tension between independent researchers and major tech companies in handling vulnerability disclosures.
