Microsoft to thank Google researcher for privately reporting Windows bugs

Tavis Ormandy, who kicked off bug reporting debate, to get credit for reporting four flaws

The Google security engineer who stirred up a hornets' nest two months ago after publicizing a critical Windows vulnerability said Friday that Microsoft will credit his work on four of the 34 bugs slated for patching on Tuesday.

"Apparently I'm getting four credits on Tuesday," said Tavis Ormandy in a Twitter message Friday.

Ormandy is the researcher who disclosed a bug in Windows' Help and Support Center just five days after reporting it to Microsoft. Ormandy said he took the bug public when Microsoft wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it had only told Ormandy it needed the rest of that week to decide.

The resulting debate over Ormandy's actions grew heated at times , as some researchers defended his actions while others criticized him for revealing information that later was used by hackers to attack Windows PCs.

After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.

Microsoft plugged Ormandy's vulnerability on July 13 as part of that month's Patch Tuesday. Microsoft did not credit Ormandy, or anyone else for that matter, in the MS10-042 advisory that accompanied the Help and Support Center patch.

At the time, Microsoft reiterated that that was standard practice, and had nothing to do with Ormandy specifically.

"When a security researcher is acknowledged in one of Microsoft's monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately," said Jerry Bryant, a group manager with the MSRC, in a e-mail reply to questions last month. "The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations."

Bryant's language was identical to policies Microsoft has spelled out on its Web site.

The four flaws that Ormandy said will be acknowledged were reported privately to Microsoft, Bryant intimated. "Credit given in our bulletins is always based on the finder working with us to keep vulnerability details private until the update goes out," he said Friday. "The August bulletins will not deviate from normal process."

Bryant declined to confirm that Ormandy will, in fact, receive credit for several vulnerabilities. "As usual, we cannot discuss details of bulletins, beyond the [advanced notification] and yesterday's blog post, until they are released," he said.

Ormandy did not reply to questions about when he reported the vulnerabilities to Microsoft, and whether he thought it meant anything more than Microsoft following its usual practice.

Andrew Storms, director of security operations for nCircle Security, noted that researchers typically receive a heads-up several days prior to a Patch Tuesday that will include fixes for bugs they have privately reported.

French security researcher Matthieu Suiche said Friday that he would also receive credit for reporting four vulnerabilities on Tuesday's fix list. "Apparently I'm getting only 4 credits too," he said on Twitter .

Suiche, who now has his own security consultancy, MoonSols , has worked for EADS, the European Aeronautic Defence and Space Company; the Netherlands Forensics Institute of the Dutch Ministry of Justice; and, according to his LinkedIn profile, participated in Google's Summer of Code, a program that provides student developers stipends to write code for open-source projects.

Storms assumed that there was nothing under the surface about Ormandy receiving credit next week. "It would be pure speculation if Microsoft is patching his bugs any quicker than others," Storms said in an interview conducted via instant message. "In fact, I don't think I'd touch that topic with a 10-foot pole. But we can certainly be certain that Microsoft is keeping the conversation open and often with Tavis."

Bryant declined to respond to additional questions, including whether Microsoft was giving Ormandy's vulnerabilities higher priority than other researchers' bugs.

That didn't surprise Storms. "I think everyone wants to keep the relationship open and professional as much as possible," he said.

Last month, Microsoft urged others to drop the term "responsible disclosure" and instead substitute "coordinated vulnerability disclosure" (CVD) to describe the collaboration between researchers and vendors.

According to Mike Reavey, the director of the MSRC, the name change would eliminate the loaded word "responsible" from the debate about how researchers report bugs and how and when companies provide patches.

In an interview two weeks ago, Reavey denied that the name change was triggered by the Ormandy disclosure, saying that Microsoft had been working with outside researchers and security experts for months before the June brouhaha.

On Aug. 10, Microsoft will release 14 updates -- 8 labeled "critical" and 10 affecting Windows -- that will patch 34 bugs.

Join the PC World newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurityWindowssoftwaretwitterMalware and Vulnerabilitiesoperating systems

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?