Microsoft Criticizes Public Zero-Day Disclosures

Microsoft has chosen to criticize the practice of public disclosure of zero-day security vulnerabilities. This comes in the context of controversies surrounding the disclosure of several zero-day flaws by a researcher operating under the pseudonym Chaotic Eclipse (also known as Nightmare-Eclipse). Microsoft emphasizes the importance of Coordinated Vulnerability Disclosure (CVD), which is intended to allow vendors to understand and address security issues before they are made public. The discussion around the disclosure of zero-day security vulnerabilities has intensified within the security community. Microsoft urges researchers to share their findings first with the affected vendors.

This is intended to give companies the opportunity to secure their systems before the information becomes public. Microsoft views this approach as a crucial step towards improving overall cybersecurity. Chaotic Eclipse had published details about several zero-day vulnerabilities, prompting Microsoft to take a clear stance. The company argues that such disclosures without prior coordination not only endanger the affected companies but also the users who rely on these systems. Microsoft highlights that collaboration between researchers and vendors is essential to ensure the security of software and systems.

Microsoft's response comes at a time when cyber threats are increasing and companies are under pressure to enhance their security measures. According to the Cybersecurity & Infrastructure Security Agency (CISA), there was a 40% increase in reported cyberattacks in 2025 compared to the previous year. These figures underscore the urgency with which companies must respond to security vulnerabilities. Microsoft has previously taken similar positions to promote security in software development. The company has launched programs that reward researchers for discovering and reporting security vulnerabilities.

These programs aim to create incentives to strengthen collaboration between security researchers and software vendors. The controversies surrounding Chaotic Eclipse also raise questions about the responsibility of security researchers. While some in the community view disclosure as necessary to exert pressure on companies, others argue that it can jeopardize user security. Therefore, Microsoft calls for a balanced approach that considers both the rights of researchers and the safety of users. The discussion about the disclosure of security vulnerabilities is expected to gain further significance in the future.

Microsoft plans to refine its policies on Coordinated Vulnerability Disclosure to address the ever-changing threats. The company has announced that it will introduce new initiatives in the coming months to promote collaboration between researchers and vendors. The vulnerability disclosed by Chaotic Eclipse affects several widely used software products. However, Microsoft has not released specific details about the affected systems or the exact impact of the flaws. The precise number of affected systems remains unclear, highlighting the urgency with which companies must respond to such disclosures.

Microsoft stated in a release: "We believe that coordination between researchers and vendors is key to improving cybersecurity. We urge all parties to act responsibly and prioritize user safety." This statement underscores the company's position in the current debate over the disclosure of security vulnerabilities. The discussion about the responsibility of security researchers and the practice of disclosure will continue to be a central theme in the cybersecurity landscape. Microsoft has announced that it will publish new guidelines to support Coordinated Vulnerability Disclosure by the end of 2026.