A security researcher publicly disclosed three Windows zero-days that were actively exploited — and subsequently had their GitHub account removed. The sequence of events has reignited a debate about vulnerability disclosure practices and drawn attention to Microsoft's dual role as both the affected software vendor and the parent company of the platform where the researcher's work was hosted.
Microsoft Calls for Coordinated Disclosure
In the wake of the disclosures, Microsoft issued a public statement reaffirming its support for Coordinated Vulnerability Disclosure (CVD), the industry-standard practice in which researchers privately report flaws to affected vendors and allow time for fixes before making details public.
According to reporting by The Hacker News, Microsoft urged the research community to share findings through its Microsoft Security Response Center (MSRC) so that the company can "better understand the impact and address them before they are publicly disclosed." The company highlighted its bug bounty programmes as an incentive for researchers who follow this path.
CVD has long been the dominant framework in the security industry. Google Project Zero, one of the sector's most influential vulnerability research teams, operates a strict 90-day disclosure deadline that has become a de facto benchmark — vendors are given three months to develop and release patches before details go public, regardless of whether a fix is ready. The rationale is that premature public disclosure of actively exploited zero-days exposes users to real-world attacks before patches are available.
GitHub Account Removal Raises Questions
The researcher's GitHub account was removed following the public disclosures. It remains unclear whether the action was directly triggered by the zero-day posts or stemmed from an unrelated terms-of-service violation. Neither Microsoft nor GitHub has provided a detailed public rationale for the removal.
The incident has drawn scrutiny because Microsoft acquired GitHub in 2018, and the platform serves as critical infrastructure for the open-source and security research communities. Account removal on GitHub can affect not only the individual but also forks, dependencies, and downstream projects that relied on the removed repositories.
The security community has documented previous instances in which researchers allege they faced professional consequences — including account restrictions and legal threats — after publishing vulnerability details that vendors would have preferred to keep quiet. Whether such actions are retaliatory or coincidental is often difficult to verify independently.
The Disclosure Debate Continues
Researchers who bypass coordinated disclosure often cite frustrations with the process: vendors taking months or years to address privately reported vulnerabilities, offering inadequate bug bounty payouts, or disputing the severity of findings. From this perspective, public disclosure serves as a form of accountability when private channels fail to produce results.
Without the researcher's account of whether prior coordination was attempted with Microsoft, the full circumstances of this case remain unclear. It is not known whether the disclosures were made after unsuccessful private reporting or without any prior contact with the vendor.
Microsoft has not announced any formal policy changes in response to the incident. The company's MSRC and bug bounty programmes remain its recommended channels for vulnerability reporting. Neither Microsoft nor GitHub has responded publicly beyond Microsoft's CVD statement.
一名安全研究員公開披露了三個正被積極利用的 Windows 零日漏洞——隨後其 GitHub 帳戶被移除。這一系列事件重新點燃了關於漏洞披露實踐的辯論,並引起了外界對微軟雙重角色的關注:它既是受影響的軟件供應商,也是研究員工作所託管平臺的母公司。
微軟呼籲協調披露
在漏洞披露之後,微軟發佈公開聲明,重申其對協調漏洞披露的支持。協調漏洞披露是業界的標準做法,研究員向受影響的供應商私下報告缺陷,並在公開細節前留出修補時間。
根據 The Hacker News 的報導,微軟敦促研究社群透過其微軟安全回應中心分享發現,以便公司能「更好地理解其影響並在公開披露前解決問題」。該公司強調了其漏洞賞金計劃,作為遵循此路徑的研究員的激勵措施。
長期以來,協調漏洞披露一直是安全領域的主導框架。谷歌 Project Zero 是業內最具影響力的漏洞研究團隊之一,其運作遵循嚴格的 90 天披露期限,這已成為事實上的基準——無論補丁是否準備就緒,供應商都有三個月時間開發和發佈補丁,然後細節才會公開。其理據是,過早公開披露正被積極利用的零日漏洞,會在補丁可用之前使使用者暴露於現實世界的攻擊。
GitHub 帳戶移除引發質疑
研究員的 GitHub 帳戶在公開披露後被移除。目前仍不清楚該行動是否直接由零日漏洞的發佈所觸發,還是源於無關的服務條款違規。微軟和 GitHub 均未就移除行動提供詳細的公開理由。
此事件引起審視,是因為微軟於 2018 年收購了 GitHub,而該平臺是開源及安全研究社群的關鍵基礎設施。在 GitHub 上移除帳戶不僅可能影響個人,還可能影響依賴被移除 repository 的 fork、依賴項及下游項目。
安全社群記錄過先前的案例,研究員聲稱在發佈供應商希望保密的漏洞細節後,面臨了專業後果——包括帳戶限制和法律威脅。此類行動究竟是報復性的還是巧合性的,外界往往難以獨立核實。
披露辯論持續
繞過協調披露的研究員往往對此過程表達挫敗感:供應商花費數月甚至數年才處理私下報告的漏洞、提供不足的漏洞賞金支付,或質疑發現的嚴重性。從這個角度來看,當私下管道未能產生結果時,公開披露便成為一種問責形式。
在研究員未說明是否曾就此事與微軟進行事先協調的情況下,此事件的完整情況仍不清楚。目前尚不知悉這些披露是在私下報告未獲成功後作出的,還是未經任何事先與供應商接觸便發佈的。
微軟未就此事宣佈任何正式的政策變更。該公司的 MSRC 和漏洞賞金計劃仍然是其推薦的漏洞報告渠道。除微軟的協調漏洞披露聲明外,微軟和 GitHub 均未作出進一步的公開回應。