The vulnerability, which was , first became public on Sept. 15 when a researcher found an exploit on a known hacker server. The news prompted Microsoft to create a blocking tool within three days, then a fix for the flaw another three days later.

But the Redmond, Wash. company's security team likely knew of the bug long before that.

In the security bulletin, Microsoft credited Hewlett-Packard TippingPoint's bug bounty program, the Zero Day Initiative (ZDI), for reporting the vulnerability.

"Microsoft thanks ... an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability ( )," the bulletin read, referring to the CVE, or Common Vulnerabilities and Exposures identifier for the IE zero-day.

When ZDI provided Microsoft with information about the bug, however, is unknown. Neither Microsoft or HP TippingPoint responded to questions over the weekend about CVE-2012-4969's reporting timeline. Nor has ZDI published any technical information about the vulnerability, something it does eventually after a vendor patches a bug it's reported.