December 4, 2025 – Tenable reports the findings to MSRC, and MSRC acknowledges
December 6, 2025 – MSRC reports that the issue is being investigated and requests a draft of the advisory
December 9, 2025 – Tenable agrees to share the draft disclosure but retains sole discretion over the final content and publication timeline, additionally requests email communication
December 10, 2025 – MSRC acknowledges disclosure plans, and agrees to investigate email-based communication options
December 10, 2025 – Tenable acknowledges
December 16, 2025 – MSRC initiates email-based communication
December 17, 2025 – Tenable acknowledges
December 18, 2025 – MSRC confirms the bug and classifies it as a Critical Severity Information Disclosure vulnerability, and expects a fix in mid-February
December 18, 2025 – Tenable acknowledges
January 1, 2026 – MSRC awards a bounty
January 20, 2026 – Tenable requests an update
January 21, 2026 – MSRC notes that updates from the product team should be available soon
January 27, 2026 – MSRC updates that the issue has been fixed, and that a CVE has been assigned
January 28, 2026 – Tenable acknowledges
