Microsoft Calls the Zero-Day Dumps Irresponsible. The Researcher Says Microsoft Started It.

A researcher, known as Chaotic Eclipse, has publicly disclosed six zero-day vulnerabilities in Windows components, including Defender and BitLocker, without prior notice to Microsoft, prompting the company to label the move as irresponsible¹. The researcher, however, claims that Microsoft had ignored their initial attempts at disclosure, leading to the public release of the vulnerabilities, along with proof-of-concept code. Three of the disclosed vulnerabilities, known as BlueHammer, RedSun, and UnDefend, have already been exploited in the wild. This incident highlights the escalating tensions between researchers and vendors over responsible disclosure practices. The lack of coordination between the researcher and Microsoft has resulted in a shortened window for patching, making it essential for organizations to assess their exposure to these vulnerabilities immediately. The situation underscores the need for timely and collaborative vulnerability disclosure to prevent widespread exploitation.