Dropping a 0day? Consider having it 0patched first.

Mitja KolsekJun 9, 2026
Article title from The Register

This article was written for security researchers who, for some reason or another, have had disappointing experience with reporting vulnerabilities to software vendors, and are considering publishing a 0day.

Where we are (again)

The relationship between security researchers and software vendors has once again reached an unhealthy level these days - with several 0days in Microsoft's products having been dropped on the Internet, and the hundred-billion-dollar software giant responding with thinly veiled hints of legal threats to the research community.

We've been here before, more than once. A debate that seemed settled - or at least exhausted - during previous cycles has resurfaced. The phrase "Responsible disclosure", quite possibly Microsoft's cleverest security PR invention, is being thrown around again and discussed in terms of who exactly is supposed to be responsible for what. These discussions typically convince no-one involved, as most participants are biased in one way or another.

Our Perspective

We at 0patch come from both places: we've been security researchers for 26+ years and have reported many issues to various vendors including Microsoft in the past - some having been fixed and some not. Our experience with MSRC is mostly positive; on both extremes, we had a Microsoft security person contact us out of band for a more nuanced discussion about a reported vulnerability (much appreciated, you know who you are), and we had a nameless person in MSRC portal kind-of demanding that we add to our blog a notice that Microsoft does not want people to use 0patch ¯\_(ツ)_/¯.

We're also, in small part, a software vendor; 0patch Agent is a Windows application running with System privileges on our users' computers, and 0patch Central is a web application controlling the agents. We've had various security issues reported to us, and like probably all vendors, accepted some as credible and rejected others as invalid.

But we also come from a third, somewhat unique place: we write patches for vulnerabilities on Windows (and vulnerabilities in Windows). To our knowledge, 0patch is currently the only non-Microsoft provider of security patches for vulnerabilities in Windows and Microsoft Office.

Unofficial 0day patches? Absolutely.

We sometimes patch a 0day in Windows, Microsoft Office or some other Windows product, meaning that a patch is available to our users before the official vendor has issued their own fix. When this happens, we make sure the vendor knows about the vulnerability; if the 0day was dropped on the internet and widely discussed or written about in the media, we assume they know - but if it was discovered by us or reported to us by a security researcher, we report it to the vendor and they usually fix it in a subsequent update. As a rule, we make these "0day patches" free for everyone until an official patch becomes available or it becomes clear that such patch would never come. This is not a frequent event, but frequent enough that many enterprises are using 0patch for Windows and Office versions that are still receiving regular official updates from Microsoft.

When things go wrong

Communication between a security researcher who found a vulnerability and the vendor who created said vulnerability is always somewhat fragile. Expectations on both sides may differ, as well as patience, specific domain knowledge, and skills both technical and human. Words and (in)actions can easily lead to a breakdown in communication, and reasonable people may still find both sides reasonable if we knew full context.

When things break up, 0days are more likely to be dropped on the Internet. If a researcher chooses not to sell a vulnerability for private exploitation, public disclosure may feel like the only remaining option when the vendor is the sole party capable of fixing a closed-source product.

Fortunately, this is not always the case.

Our call to security researchers

Dear researcher, if you are considering dropping a 0day, we're not trying to change your mind. You have your reasons, and you have found someone else's error that can - and potentially already does - cause harm to users.

What we'd like you to consider, however, is giving us an opportunity to develop and release a free micropatch before the disclosure.

We commit to the following:

  1. An experienced security expert will review your submission.

  2. Your identity will be kept private unless you allow us to disclose it, in which case we will credit you for the finding and your assistance in helping secure affected users.

  3. We will communicate clearly about feasibility, timelines, and publication plans so you can make informed decisions about disclosure.

  4. Our patch will be free until the vendor has fixed the vulnerability or made it clear that they would not fix it (becoming a "Wontfix" patch).

  5. We will try to report the vulnerability to the vendor, and inform them about our pending patch; only with your permission will we reveal that we had obtained the vulnerability from you. In the unlikely event that the vendor should offer to pay a bug bounty for the vulnerability, we will decline, unless you want us to ask the vendor to pay the bounty to you or to a charity of your choice.

Note that we may be unable to reproduce the vulnerability in a way that would, in our opinion, warrant a security patch. Sometimes it is some setting or environment context that makes a crucial difference, and none of us may be aware of it, and sometimes we may also agree with the vendor who has previously deemed the vulnerability to be below their servicing threshold.

Also, it can happen that we're able to reproduce the vulnerability, but unable to create a patch: we are limited to user-space native code vulnerabilities in Windows operating system, and applications running on Windows, so, for instance, we cannot patch Linux or web site vulnerabilities.

If you're willing to explore this option, we'd be glad to hear from you:

  1. email: security@0patch.com (PGP key)

  2. X/Twitter DM: 0patch

P.S.: Of course this invitation also applies to researchers who simply don't want to communicate with the official vendor but would like to see vulnerabilities they had found patched.