Researcher threatens second Windows zero‑day amid Microsoft dispute

A security researcher has announced plans to publish a second Windows zero‑day exploit after a public dispute with Microsoft over the firm’s vulnerability‑disclosure policy [The Register]. The researcher previously released a Windows zero‑day (identified as CVE‑2026‑XXXXX) in March, prompting Microsoft to issue an emergency patch. In a follow‑up statement, the researcher accused Microsoft of “delaying or withholding” patches and said the company’s coordinated‑disclosure approach “fails to protect users in a timely manner.”

Microsoft responded that its process follows industry‑standard coordinated disclosure, emphasizing that patches undergo extensive testing before release to avoid regressions. The company’s security team also noted that the March exploit was addressed within ten days of notification, a timeline it described as “consistent with our policy.”

The threat of a second exploit raises immediate concerns for Windows engineers responsible for patch deployment and risk assessment. If the exploit is released, organizations will need to prioritize mitigation strategies, potentially accelerating the rollout of interim controls while awaiting an official patch. The episode also spotlights the broader tension between vendors and independent researchers, where differing expectations around disclosure speed and transparency can lead to public confrontations.

Both parties agree that the ultimate goal is to secure Windows users, but the disagreement over how quickly vulnerabilities should be made public underscores a persistent challenge in the security ecosystem.