Coordinated, Until It Isn't: Moksha's 89-vuln XAPI drop
Moksha's recent disclosure of 89 vulnerabilities in XAPI has sparked debate about the nature of coordinated disclosure. The decision involved multiple factors, including going public without an embargo and withholding patches from Citrix. This situation highlights the inherent risks researchers face compared to vendors in the disclosure process.
- ▪Moksha published 89 vulnerabilities in XAPI without an embargo and withheld patches from Citrix.
- ▪The reactions to this disclosure have been polarized, with some applauding the pushback and others condemning it as irresponsible.
- ▪The current system of coordinated disclosure places most of the legal and reputational risks on researchers, while vendors face minimal consequences.
Opening excerpt (first ~120 words) tap to expand
Policy Coordinated, Until It Isn't Everyone has a take on Moksha's 89-vuln XAPI drop. Almost everyone misses the same thing: it wasn't one decision, it was four: go public, go Day-0, withhold patches from Citrix, lean into the "shittrix" frame. Coordinated disclosure runs on goodwill, and the goodwill runs out sometimes. Casey Ellis 17 May 2026 — 9 min read Share Whenever I hear people say "Uncoordinated Disclosure" I immediately think of Mr Bean. Now you will too. You're welcome. A few weeks ago an independent researcher named Jakob Wolffhechel — operating as Moksha — published 89 vulnerabilities in XAPI, the management stack underneath Citrix XenServer and XCP-ng.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at caseyjohnellis.
Discussion
0 commentsMore from caseyjohnellis
