February 25, 2026: Tenable submits disclosure via MSRC portal.
March 12, 2026: Microsoft responds that they have confirmed the behavior.
March 13, 2026: Microsoft replies that they are working on the fix.
March 26, 2026: Microsoft replies that the issue has been fixed.
April 2, 2026: Tenable asks what version the issue was fixed in and if MS plans on issuing a CVE.
April 7, 2026: Microsoft confirms that the issue was fixed in version 0.32.0. Microsoft states that due to auto-update capability, no CVE will be issued.
April 10, 2026: Tenable replies that auto update may not be mandatory and that we think a CVE should be assigned.
April 10, 2026: Microsoft replies that they will review.
April 16, 2026: Microsoft replies that they will get back to us next week about CVE assignment and requests copy of draft advisory.
April 17, 2026: Tenable shares draft advisory with Microsoft.
April 21, 2026: Tenable asks for an update.
April 21, 2026: Microsoft replies that they should get back in a few days.
April 23, 2026: Microsoft advises that the CVE consideration is under active review.
April 27, 2026: Tenable asks for an update on the CVE question.
April 27, 2026: Microsoft replies that the case does not qualify for a CVE because few users triggered the affected feature, VS Code extensions are auto updated, and that a CVE is not required when there is no required customer action.
