I'm curious what communication happened in that time. I'm not inclined to give Microsoft the benefit of the doubt but "vulnerability reported" doesn't necessarily mean "we sent full details in a clearly documented way to the right place where it would get in front of a human".
For something given a cvss of 10, that is a ridiculous amount of time.. although hopefully they fixed it within a reasonable amount of time and just took forever to disclose it
I don't necessarily disagree with the rating of 10 here (I know anything about the actual impact of this vulnerability), but please note that CVSS really isn't a perfect system, and it is quite easy to reach ridiculously high CVSS scores with even minor vulnerabilities, if you are 'maybe a bit too literal' in its interpretation.
The official CVSS3.1 example score for a stored XSS is 9.0.
>2023-10-03 - Vulnerability reported to vendor
>2024-06-06 - Coordinated public release of advisory