A security researcher, frustrated with Microsoft's handling of vulnerability disclosures, has publicly released a proof-of-concept exploit for a Visual Studio Code (VS Code) flaw. The vulnerability allows attackers to push malicious extensions via the Workspace Recommendations feature by configuring compromised repositories. This leak is the latest example of a bug hunter taking matters into their own hands due to dissatisfaction with the company's response to security reports. The researcher, Ammar Askar, disclosed the issue to a contact at the open-source platform and then released the exploit just an hour later1. This incident highlights the ongoing tensions between security researchers and vendors over disclosure policies. The leak of this exploit poses a significant risk to VS Code users, who may be vulnerable to malicious extensions, so practitioners should prioritize updating their software and monitoring for suspicious activity to mitigate potential threats.
Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures
⚠️ Critical Alert
Why This Matters
Yet another aggrieved bug hunter has leaked a vulnerability affecting a Microsoft product after becoming disillusioned with the way the company handles security reports.
References
- The Register. (2026, June 3). Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures. *The Register*. https://www.theregister.com/security/2026/06/03/another-bug-hunter-leaks-microsoft-exploits-in-defiance-of-companys-handling-of-vulnerability-disclosures/5250590
Original Source
The Register
Read original →