Wow. Over 200 CVEs from #Microsoft and another 123 from #Adobe. It's a record-setting Patch Tuesday, but fear not! @dustin_childs has broken the release down and tells you what you need to know. Check out the blog at zerodayinitiative.com/blog/2…

Good lord 🤮

‼️ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse. In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release. That claim is contested. Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming. Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions. Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about. The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates. It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them. The case for coordinated disclosure is straightforward. The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software. Patch before PoC means defenders get a head start. PoC before patch hands it to attackers. That does not make the tension one-sided. Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts. Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation. Microsoft's post does not address that claim directly. It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation. Both things can be true at once. A vendor can have a real duty to treat researchers fairly. And a researcher can still be wrong to burn the disclosure process in a way that arms criminals. The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.

#FrontierAI reshapes exposure risk. 🤖 But impact depends on what you do next. ⏱️ Focus on real-time vulnerability discovery, active exploitation, and continuous, context-driven #ExposureManagement. 👉 Register now to learn how: spr.ly/6016BBOWfu

🛡️ We added four vulnerabilities to our Known Exploited Vulnerabilities Catalog. Visit go.dhs.gov/Z3Q for more information. #Cybersecurity #InfoSec