In the world of computer security, the industry standard best practice is a process called “responsible disclosure:” when a security issue is discovered with a software product, the discoverer reports to the problem to the software vendor and gives them time to develop a patch or workaround. Once a fix is available, then the bug’s discoverer (or the affected software company) can make information about the bug public. The idea is to reduce (or eliminate) the amount of time knowledge about the problem is floating around the Internet with no fix available.
Now, an anonymous group of security researchers has become frustrated with the “hostility” displayed by software giant Microsoft to outside security researchers, and has decided to throw responsible disclosure to the wind. Naming themselves the Microsoft-Spurned Researchers Collective—MSRC, a play on Microsoft’s own Microsoft Security Response Center—they have pledged to full disclose any vulnerabilities they uncover, without first reporting the problems to Microsoft so the company can evaluate them and develop a fix. To make good on their charter, the group disclosed a vulnerability in Windows Vista and Server 2008 that could be used to crash systems and, potentially, execute malicious code.
The anonymous group cites Microsoft’s recent treatment of Tavis Ormandy as the inventive for their action; Ormandy found the 17-year-old security problem in WIndows’ Virtual DOS Machine and more recently reported a significant security issue with Windows XP’s Help Center. Microsoft identified Ormandy as a Google employee; Ormandy maintains his reports to Microsoft were independent of Google and the company’s name should not have been used.
If the Microsoft-Spurned Researcher Collective gains momentum—and is able to deliver up significant security vulnerabilities to the general public—the group could be a boon to attackers and malware developers always looking for new ways to break into Windows systems. However, the group’s existence highlights the often contentious relations between software vendors and security researchers: while the vast majority of security issues are reported and patched without public drama, software makers do need to be mindful of how they interact with broader computer security communities.
