Microsoft Criticizes Public Zero‑Day Disclosures After GitHub Researcher Account Removal
What Happened – A security researcher known as Chaotic Eclipse (Nightmare‑Eclipse) publicly disclosed several Microsoft zero‑day vulnerabilities on GitHub. Microsoft responded by publicly rebuking the “full‑public” disclosure approach and urging the community to follow Coordinated Vulnerability Disclosure (CVD) processes. The researcher’s GitHub account was subsequently removed, intensifying the debate over responsible disclosure.
Why It Matters for TPRM –
- Uncoordinated disclosures can expose third‑party customers to unpatched flaws before vendors can issue mitigations.
- Vendor‑driven remediation timelines may be compressed, increasing pressure on downstream partners to accelerate patch testing.
- Policy friction between researchers and vendors can delay the availability of reliable vulnerability intelligence for risk assessments.
Who Is Affected – Cloud‑service providers, SaaS vendors, enterprise IT departments, and any organization that relies on Microsoft operating systems, Azure services, or Office 365.
Recommended Actions –
- Review your vendor‑risk registers for Microsoft‑related products and confirm you have up‑to‑date patch management processes.
- Verify that your security team receives timely vulnerability alerts from Microsoft’s security advisory feeds.
- Incorporate coordinated‑disclosure expectations into third‑party contracts and security questionnaires.
Technical Notes – The disclosed flaws were reported as zero‑day vulnerabilities affecting undisclosed Microsoft components; no CVE identifiers were released at the time of reporting. The incident underscores the tension between public‑full disclosure and coordinated processes, rather than a specific exploit chain. Source: The Hacker News