Day-0 public disclosure without vendor pre-notification is an unusual choice for research of this scope. This page documents the factors that shaped the decision. Public sources are cited where available. Sections describing the researcher's own actions (CVE submissions, patch offers) are first-party statements.
This research was conducted independently by one person. No vendor funded the work. No consulting engagement produced it. No bug bounty program compensated it. No competing commercial interest influenced it. The researcher operates as Moksha, a single-person consultancy in Copenhagen, Denmark.
The research exists because the researcher read the XAPI source code and found that every writable Map field across 8 object types had zero input validation. The decision to publish exists because holding 89 exploitable findings privately while waiting for bureaucratic processes serves no one except the attackers who may have already found the same patterns in the same open-source code.
Cloud Software Group operates a bug bounty program through HackerOne. The program scope covers Cloud/SaaS products. XenServer is explicitly out of scope.
The program policy states: "coordinated disclosure reports do NOT qualify for bounty."
There is no formal channel through which Citrix accepts XenServer vulnerability reports in exchange for anything - no bounty, no acknowledgment commitment, no response SLA. A researcher who discovers XenServer vulnerabilities and reports them to Citrix is volunteering labor to a company that has structured its security program to not compensate that labor.
Source: HackerOne - Cloud Software Group program scope
Cloud Software Group is a MITRE-authorized CVE Numbering Authority (CNA) for its own products. This means Citrix controls:
A researcher who reports vulnerabilities through Citrix's coordinated disclosure process hands control of the severity narrative to the vendor. If the vendor rates a finding lower than the researcher believes is warranted, the researcher has no recourse within the CVE system - the vendor's CNA assignment is authoritative.
Source: Cloud Software Group Vulnerability Response Policy
In November 2024, watchTowr disclosed CVE-2024-8068 and CVE-2024-8069 - vulnerabilities in Citrix Session Recording that watchTowr characterized as unauthenticated remote code execution.
Citrix rated both CVEs as Medium (CVSS 5.1).
The core dispute: watchTowr stated the vulnerabilities could be exploited without authentication. Cloud Software Group stated that an attacker must be authenticated. The assigned CVSS score reflects Citrix's assessment, not the discoverer's.
The incident was covered by Cybersecurity Dive, The Register, and Dark Reading. It established a public record of severity disputes between Citrix and independent researchers.
Source: Citrix Security Bulletin CTX691941, watchTowr disclosure
CVE-2023-4966 ("CitrixBleed") was a memory-safety vulnerability in Citrix NetScaler/ADC that allowed session token theft. CISA issued an emergency directive in 2023 because Citrix's own remediation guidance was insufficient.
In 2025, "CitrixBleed 2" appeared - the same class of memory-safety vulnerability, six years later. The root cause identified in the first incident was not addressed systemically. The recurrence demonstrates that coordinated disclosure in 2023 did not produce the architectural review that would have prevented the same vulnerability class from recurring.
In May 2024, Cloud Software Group signed CISA's Secure by Design pledge, committing to seven concrete goals over one year, including:
The 89 findings in this audit are a single class of vulnerability - missing input validation on writable Map fields - across a single product line (XenServer/XAPI). The class has existed since the code was first written (~2006). The pledge was signed in 2024. The class was not addressed.
Source: CISA Secure by Design pledge signatories
CVE reservations for all 89 findings were submitted to MITRE on 2026-04-09, fifteen days before the planned public release. No response was received.
Follow-up filings were sent to three European CVE-alternative programs on 2026-04-18: GCVE/CIRCL, ENISA, and DIVD. No response was received from any of them before publication.
CERT/CC was notified on 2026-04-23 (reference [gen-55566]), one day before public release. CERT/CC acknowledged receipt and closed the ticket the same day with generic guidance to wait two weeks for vendor coordination.
The researcher proceeded as planned. Holding 89 exploitable findings behind a 15-day-old unanswered reservation request while every deployment of the affected product remains exposed is not a defensible security posture.
Source: First-party account. MITRE submission receipts and CERT/CC reference number available on request to accredited parties.
Cloud Software Group was formed in September 2022 when Vista Equity Partners and Evergreen Coast Capital completed their $16.5 billion acquisition of Citrix and combined it with TIBCO Software. The company is private.
Private equity ownership structures prioritize return on invested capital. Security engineering that does not produce measurable revenue impact is deprioritized under this model. The 89 findings in this audit represent 20 years of missing input validation on writable API fields - the most trivially-audited class of vulnerability in software. The absence of this review across two decades of premium enterprise revenue is consistent with a governance structure that does not prioritize security engineering investment unless externally forced.
Source: Cloud Software Group press release
On 2026-04-23, the researcher sent a direct conditional offer to Vates' CEO (with CC to the Vates security team) to transfer the 19 upstream patch proposals ahead of public disclosure, on one non-negotiable condition: the patches could not be actively delivered to Cloud Software Group through any pre-public channel.
No acknowledgment was received from Vates before the 2026-04-24 08:00 CEST public release. The patches therefore remained with the researcher at the time of publication.
The offer remains open under the same conditions. Vates is a victim of the upstream architectural failures, not an adversary of this disclosure.
Source: First-party account. The conditional offer was a private email; its existence and terms are attested by the researcher.
The factors above combine into a single conclusion: coordinated disclosure with this vendor, for this product, under these conditions, would have produced one of two outcomes:
Neither outcome serves the deployers of the affected product. Day-0 public disclosure, with self-issued MOKSHA identifiers, detection rules for immediate deployment, and advisories detailed enough for any competent engineer to implement their own fixes, serves them better.
The researcher affirms that this decision was made in good faith, based on the public record documented above, and that the parties who demonstrate good faith are the parties entitled to cooperative handling.