Microsoft: Protecting customers through Coordinated Vulnerability Disclosure(microsoft.com)
microsoft.com
Microsoft: Protecting customers through Coordinated Vulnerability Disclosure
https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
Reminder that CVD is a standard (in the same way that Test Driven Development is a standard approach that someone might choose), not the standard (something that everyone must or should do). Attempting to frame CVD as "responsible disclosure" is at attempt to staple a value judgement onto that approach.
Also, for software like Windows where researchers find vulnerabilities by inspecting software locally, the idea of prosecuting a US-based researcher for disclosing a vulnerability to the public is laughable and would not succeed.