Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal

Microsoft criticized the public disclosure of zero-day vulnerabilities, calling for coordinated vulnerability disclosure practices instead. The company issued its statement following a researcher operating under the alias Chaotic Eclipse, also known as Nightmare-Eclipse, who disclosed multiple zero-day details publicly.

The researcher's account was subsequently removed from GitHub, though the exact circumstances remain unclear. Microsoft emphasized that vendors need advance notice to understand vulnerability impact and develop patches before information reaches the public domain. The company advocates for responsible disclosure timelines that allow organizations to address threats before attackers can weaponize them.

Zero-day vulnerabilities represent unpatched security flaws unknown to vendors. Public disclosure of these details accelerates exploitation risk across affected systems. Researchers who bypass vendor notification protocols expose organizations and users to attacks before mitigations exist.

Microsoft's push for Coordinated Vulnerability Disclosure reflects broader industry standards established by organizations like CISA and the National Institute of Standards and Technology. These frameworks typically recommend 90-day disclosure windows, allowing vendors sufficient time to develop and test patches while researchers maintain embargo compliance.

The GitHub account removal raises questions about platform enforcement of disclosure policies. Major code repositories increasingly monitor for vulnerability information that could enable attacks before patches deploy. However, researchers argue that some vendors ignore or delay response to legitimate security reports, justifying public disclosure as a pressure tactic.

The incident highlights tension between transparency advocates who believe public disclosure forces vendor accountability and security professionals who contend that early publication endangers users. Microsoft's statement reinforces its preference for private coordination, though the company has faced criticism in the past for slow patch deployment across its product portfolio.

Organizations relying on Microsoft products should monitor advisory channels for zero-day guidance. Administrators should prioritize patching once updates become available and implement network segmentation to limit blast radius if exploitation occurs before patches deploy.