On June 2, 2026, security researcher Ammar Askar published exploit code for a VS Code zero-day that lets attackers steal GitHub OAuth tokens with a single click. He notified GitHub just one hour before making the vulnerability public. The exploit targets github.dev โ the browser-based version of VS Code โ and abuses the webview message-passing system to inject a malicious extension that exfiltrates OAuth tokens.
This case is a textbook example of full disclosure, a vulnerability disclosure model where the researcher publishes all details โ including working exploit code โ without waiting for the vendor to develop and release a patch. It sits at the far end of the disclosure spectrum, opposite of the coordinated vulnerability disclosure (CVD) model that most security organizations recommend.
For cybersecurity students and professionals, this case raises fundamental questions: When is full disclosure justified? What responsibility do vendors have to researchers? And most importantly, how can the industry bridge the growing trust gap between researchers and technology companies?
To understand why Askar chose full disclosure, we need to examine his previous experience with Microsoft's security response:
In a 2022 blog post, Askar described finding a critical remote code execution vulnerability in VS Code's GitHub Repositories extension. He reported it through Microsoft's bug bounty program, expecting standard coordinated disclosure. However, according to Askar, Microsoft silently fixed the vulnerability without acknowledging the security impact, without crediting him in release notes, and without paying a bounty โ internally classifying the fix as a "reliability improvement" rather than a security patch.
This experience shaped his approach. As he stated in his disclosure of the June 2026 zero-day: "In my past experience reporting github.dev bugs to them, they tell you that it's out of scope and go report it to MSRC. And as I outlined in the article, I really don't want to deal with MSRC on VSCode bugs."
This pattern is not isolated. The anonymous researcher Nightmare Eclipse has disclosed multiple Windows zero-days (BlueHammer, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend) in recent months, citing identical frustrations with Microsoft's Security Response Center (MSRC). Microsoft responded with unprecedented threats of legal action, stating they "will work with law enforcement as appropriate" when researchers break the law.
Security vulnerability disclosure exists on a spectrum. Understanding these models is essential for any cybersecurity professional:
Also called "responsible disclosure," this is the approach recommended by ENISA, ISO/IEC 29147, and most industry bodies. The researcher privately notifies the vendor, typically allowing 90 days for a patch before public disclosure. This model gives users time to patch before attackers learn about the vulnerability.
The researcher publishes all details immediately upon discovery (or with minimal advance notice). This approach, championed by Rain Forest Puppy's RFPolicy and security researcher HD Moore, argues that keeping vulnerabilities secret protects negligent vendors, not users. The NCSC (UK National Cyber Security Centre) notes that full disclosure can accelerate patch development by creating public pressure.
The vulnerability is sold to governments, brokers, or security vendors โ never publicly disclosed. This model fuels the CVE ecosystem and defensive tool development but also enables government surveillance and offensive operations.
Google's Project Zero gives vendors exactly 90 days from initial report before automatic public disclosure. This hybrid approach balances vendor patch time with researcher transparency. Google's data shows that 97% of vendors patch within the 90-day window, validating that deadlines drive action.
| Model | Vendor Notice | Public Disclosure | Risk Level |
|---|---|---|---|
| CVD / Responsible | 90 days before public | After patch | Low (if vendor patches) |
| Project Zero | 90 days | Day 90 regardless | Medium |
| Full Disclosure | Minimal to none | Immediately | High โ users at risk |
| Zero-Day Market | None | Never (sold privately) | Market-dependent |
The VS Code zero-day falls closest to full disclosure โ Askar gave one hour's notice, which is effectively immediate disclosure for practical purposes. This is the high-risk end of the spectrum: users are exposed until Microsoft releases an emergency patch.
Security researchers choose full disclosure for several reasons, all relevant to this case:
1. Erosion of Trust. When a vendor silently fixes a vulnerability without rewarding or crediting the researcher (as Askar describes with his 2022 VS Code bug), the researcher has no incentive to follow CVD for future discoveries. Trust is the foundation of CVD โ once broken, it's difficult to rebuild.
2. Scope Disputes. Vendors often classify vulnerabilities as "out of scope" for bug bounty programs if they affect specific components, features, or configurations. When researchers are told to "go report it to MSRC" (as Askar was), they may conclude their effort won't be compensated and choose public disclosure instead.
3. Public Pressure for Patches. The researcher may believe the vulnerability is so critical that only public pressure will motivate the vendor to prioritize a fix. The VS Code zero-day โ a one-click token theft with no patch โ certainly qualifies.
4. Principle of Transparency. Some researchers argue that security-through-obscurity is fundamentally flawed. Users have a right to know about vulnerabilities affecting their systems, even if patches aren't available. This aligns with the CISA Known Exploited Vulnerabilities (KEV) catalog philosophy.
5. Prior Negative Experience. Repeated dismissive responses from vendors create a class of researchers who are permanently unwilling to engage with those vendors' disclosure programs. This is a systemic problem that no single fix can address โ it requires organizational culture change within vendor security teams.
From an educational perspective, this vulnerability is important to understand because of its technical and operational impact:
The Verizon 2026 Data Breach Investigations Report found that the median time from vulnerability disclosure to active exploitation has dropped from 63 days in 2022 to just 12 hours in 2026, driven largely by AI-assisted reverse engineering and exploit automation. This compressed timeline makes the disclosure model choice even more consequential.
What could have been done differently? Several alternative disclosure paths might have produced a better outcome:
If Microsoft had adopted a Project Zero-like policy: A clear, published 90-day deadline with automatic disclosure creates a predictable process that researchers can rely on. Microsoft's Published Vulnerability Research Policy already allows researchers to disclose vulnerabilities that are fixed or acknowledged โ but the key gap is the silent-fix pattern that undermines trust.
If GitHub had a dedicated researcher liaison: Many large platforms (Google, Apple, Meta) have dedicated security researcher relationships and fast-track disclosure programs. A GitHub-specific disclosure path for github.dev bugs could have handled Askar's report differently, potentially as a CVE-2026-XXXXX with coordinated disclosure timeline.
If bug bounty programs covered all VS Code components: The "out of scope" response to platform-level vulnerabilities discourages researchers from investing time in finding them. Broadening program scope to cover the full application stack โ including browser-based components โ would incentivize responsible reporting.
If legal threats weren't the first public response: Microsoft's May 2026 threat of legal action against Nightmare Eclipse has been widely criticized as counter-productive. Researchers who fear legal retaliation are less likely to engage with CVD programs and more likely to choose full disclosure or sell to zero-day brokers.
This case study offers several actionable lessons for cybersecurity students and professionals:
Further reading: The ENISA "Good Practice Guide on Vulnerability Disclosure" provides a comprehensive framework for organizations building their own disclosure programs. CISA's Binding Operational Directive 23-01 mandates that US federal agencies adopt coordinated disclosure practices. And ISO/IEC 29147:2018 defines the international standard for vulnerability disclosure.
What is full disclosure in cybersecurity?
Full disclosure is a vulnerability disclosure model where the researcher publishes all details about a security vulnerability โ including exploit code โ without waiting for the vendor to release a patch. Proponents argue it creates public pressure for fixes and respects users' right to know. Critics argue it puts users at unnecessary risk before patches exist.
Is Askar's disclosure legal?
In most jurisdictions, publishing exploit code for a vulnerability you discovered is protected under security research. The U.S. Digital Millennium Copyright Act (DMCA) provides exemptions for security research, and the EU Cybersecurity Act encourages responsible disclosure.
Did Microsoft do anything wrong in this case?
According to Askar, Microsoft's handling of his previous VS Code vulnerability report โ silently fixing it without credit โ was the reason he chose full disclosure for this one. This highlights the gap between legally compliant security response and trust-building security response.
Should all vulnerabilities be fully disclosed?
Most cybersecurity experts recommend coordinated disclosure with reasonable timelines as the default model. Full disclosure is best reserved for cases where the vendor is unresponsive, the vulnerability is being actively exploited, or the researcher has a documented pattern of poor vendor treatment.
How can I stay safe from vulnerabilities that are fully disclosed?
Clear github.dev cookies and rotate tokens immediately. Monitor patches. Adopt defense-in-depth: separate accounts, 2FA everywhere, and good cyber hygiene using a secure key generator.
Full disclosure is a vulnerability disclosure model where the researcher publishes all details about a security vulnerability โ including exploit code โ without waiting for the vendor to release a patch. Proponents argue it creates public pressure for fixes and respects users' right to know. Critics argue it puts users at unnecessary risk before patches exist.
Is Askar's disclosure legal?
In most jurisdictions, publishing exploit code for a vulnerability you discovered is protected under security research. The U.S. Digital Millennium Copyright Act (DMCA) provides exemptions for security research, and the EU Cybersecurity Act encourages responsible disclosure. However, researchers who publish vulnerabilities with malicious intent or to cause harm could face legal action.
Did Microsoft do anything wrong in this case?
According to Askar, Microsoft's handling of his previous VS Code vulnerability report โ silently fixing it without credit โ was the reason he chose full disclosure for this one. Whether Microsoft's actions constituted a "wrong" is a matter of perspective: they fixed the bug, but their process lacked transparency and researcher acknowledgment. This case highlights the gap between legally compliant security response and trust-building security response.
Should all vulnerabilities be fully disclosed?
Most cybersecurity experts and organizations recommend against full disclosure as the default model. The ENISA CVD guidelines, the ISO/IEC 29147 standard, and Google's Project Zero model all support coordinated disclosure with reasonable timelines. Full disclosure is best reserved for cases where: the vendor is unresponsive, the vulnerability is being actively exploited (zero-day in the wild), or the researcher has a documented pattern of poor vendor treatment.
How can I stay safe from vulnerabilities that are fully disclosed?
Immediately: clear github.dev cookies and rotate GitHub tokens. Medium-term: monitor CVE databases and security news for patches. Long-term: adopt defense-in-depth practices โ use separate accounts for different systems, enable 2FA everywhere, and maintain good cyber hygiene. Use a secure key generator for creating strong credentials.
Affiliate Disclosure: This post may contain affiliate links. If you purchase through these links, we may earn a small commission at no extra cost to you. Full disclosure.