Microsoft Revives Vulnerability Disclosure Debate with Researcher Crackdown

Microsoft is stirring up controversy in the vulnerability disclosure debate, clashing with a security researcher over the responsible handling of zero-day vulnerabilities. The tech giant's strong response, including threats of legal action, has sparked heated discussion on coordinated disclosure.

https://osintsights.com/microsoft-revives-vulnerability-disclosure-debate-with-researcher-crackdown?utm_source=mastodon&utm_medium=social

#VulnerabilityDisclosure #CoordinatedDisclosure #ZeroDay #Microsoft #ResponsibleDisclosure

California Back & Pain Specialists exposed 133GB of patient PHI on a public server (3,400+ driver’s licenses + full medical records).

After responsible disclosure, AWS took it offline. Company remains silent.

#DataBreach #CyberSecurity #HIPAA #ResponsibleDisclosure #Healthcare

Full report

https://write-ups.security-chu.com/2026/06/California-Back-Pain-Specialists-with-data-breach.html

@PogoWasRight

AI-Powered Vulnerability Disclosure Forces Urgent Remediation Push

The era of reactive vulnerability disclosure is over - it's time for a coordinated, global effort to stay ahead of AI-powered threats, involving governments, software vendors, and emergency responders. With AI now capable of identifying exploitable vulnerabilities at unprecedented…

https://osintsights.com/ai-powered-vulnerability-disclosure-forces-urgent-remediation-push?utm_source=mastodon&utm_medium=social

#AipoweredVulnerabilityDisclosure #ResponsibleDisclosure #ArtificialIntelligence #VulnerabilityManagement #EmergingThreats

Some more context regarding the topic of responsible disclosure I shared last week: https://www.pcmag.com/news/microsoft-threatens-researcher-over-bug-reports-triggers-cybersecurity

Microsoft's vulnerability disclosure program seems to be a bit... unfair in terms of how it treats researchers that share their reports with the company. At least according to some who have publicly spoken about it.

#cybersecurity #security #infosec #vulnerability #responsibledisclosure #microsoft

#Microsoft walks back its threat to pursue those who don't disclose responsibly as criminals. They don't apologize, but merely "clarify" their position in a post on X.com today. Since their statement doesn't seem to be on their blog, I am linking to x.com:

https://x.com/msftsecresponse/status/2061293718942908925

This is the type of threat to researchers that @zackwhittaker and I had been looking at in our survey on threats to journalists and researchers. It was impressive to see all of the experts like @GossiTheDog speaking up to slam Microsoft for their blog post of May 27.

Confronted with overwhelming criticism by the security community, Microsoft stepped back.

#responsibledisclosure #Microsoft

Security.txt is a relatively new standard that helps security reseachers report vulnerabilities in your website or IT systems. This makes the internet more secure for everyone.

@SIDN has published a new information page in English on security.txt: https://www.sidn.nl/en/modern-internet-standards/security-txt

Want to know if security.txt is set up correctly on your website? Test it on https://Internet.nl!

#securitytxt #security #responsibledisclosure #internetstandards

Responsible Disclosure is a cornerstone of cybersecurity. Without it, we allow malicious actors to have a head start compared to the developers who aim to fix the identified vulnerabilities. Therefore, I find it worrying that Microsoft now has to put out an announcement to stick to these best practices.

There might be cases where public disclosure is better than waiting for a fix. If an organization refuse to acknowledge a problem, for example. But even then, they need to be given reasonable time to respond to the findings/reports.

At worst, innocent bystanders (such as customers) might be negatively impacted (e.g., through leakage of private information) because of the recklessness of some "security researchers", who might have had good intentions.

Microsofts announcement: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

#cybersecurity #security #infosec #vulnerability #responsibledisclosure #microsoft

Microsoft Decries Uncoordinated Zero-Day Disclosures

Microsoft slammed researchers who publicly revealed six zero-day vulnerabilities without giving the company a heads-up, putting customers at unnecessary risk. The tech giant named and shamed the flaws, including privilege escalation vulnerabilities in Microsoft Defender and a security feature bypass vulnerability in Windows…

https://osintsights.com/microsoft-decries-uncoordinated-zero-day-disclosures?utm_source=mastodon&utm_medium=social

#ZeroDay #VulnerabilityDisclosures #Microsoft #ResponsibleDisclosure #PrivilegeEscalation