March 10, 2022 - Tenable discloses two issues to MSRC via researcher portal.
March 10, 2022 - MSRC sends automated acknowledgement.
March 18, 2022 - Tenable requests status update via researcher portal. No response from MSRC.
March 28, 2022 - Tenable requests status update via researcher portal. No response from MSRC.
April 4, 2022 - Tenable requests status update via researcher portal. No response from MSRC.
April 6, 2022 - MSRC requests issues be split into multiple tickets, but no status update is given. Tenable complies.
April 21, 2022 - Tenable requests status update via researcher portal. No response from MSRC.
April 25, 2022 - Tenable requests status update and reminds MSRC that the disclosure period is more than halfway through.
April 28, 2022 - Tenable requests status update via MSRC email due to lack of responses in researcher portal. MSRC does not respond.
May 2, 2022 - Tenable notices that issue has been silently patched. Tenable requests status update from MSRC via researcher portal. MSRC does not respond.
May 5, 2022 - Tenable requests status update via MSRC email due to lack of responses in researcher portal.
May 5, 2022 - Researcher reaches out to MSRC via Twitter (@MSFTSecurity).
May 5, 2022 - MSRC provides a status update stating that the fix is still being rolled out.
May 5, 2022 - MSRC confirms behavior reported.
May 11, 2022 - Tenable requests status update via email.
May 12, 2022 - MSRC requests phone call to bundle all Tenable discoveries and provide updates all at once despite all issues being unrelated and in separate tickets. Tenable declines request and states that written communication is preferred.
May 12, 2022 - MSRC provides status update on several issues (relevant update for this advisory states that the fix is still being rolled out).
May 18, 2022 - Tenable requests status update and states that all tested regions appear Fixed.
May 23, 2022 - MSRC states that this issue is bundled with another issue and they plan to close both cases together. Tenable reminds MSRC of their original request to separate split issues in the first place and requests status update.
May 31, 2022 - Tenable continues requesting status updates and additional information.
June 1, 2022 - Researcher reaches out to MSRC via Twitter due to lack of updates.
June 1, 2022 - MSRC states that although the issue is patched, they do not consider it a security related issue. MSRC requests phone call to discuss further.
June 2, 2022 - Tenable declines phone call request and states that written communication is preferred. Tenable refutes Microsoft’s claim that this issue was not security-related. Tenable declines phone call and requests communication be kept in writing.
June 2, 2022 - Researcher reaches out to MSRC via Twitter (DMs to @MSFTSecurity and @MSFTsecresponse) and obtains contact information for MSRC Community Manager. Tenable reaches out to this contact via email directly to request this case be escalated.
June 2, 2022 - MSRC rep requests further information. Tenable provides requested information.
June 3, 2022 - MSRC requests advance copy of security advisory and in a separate email provides another rebuttal.
June 6, 2022 - Tenable informs MSRC that case is considered closed due to MSRC's insistence this issue is not security-related.
June 6, 2022 - MSRC representatives contact Tenable and inform them that they believe it is indeed a security issue.
June 7, 2022 - Tenable and MSRC discuss varying opinions on severity.