Microsoft to thank Google researcher for privately reporting Windows bugs

Tavis Ormandy, who kicked off bug reporting debate, to get credit for reporting four flaws

The Google security engineer who stirred up a hornets' nest two months ago after publicizing a critical Windows vulnerability said Friday that Microsoft will credit his work on four of the 34 bugs slated for patching on Tuesday.

"Apparently I'm getting four credits on Tuesday," said Tavis Ormandy in a Twitter message Friday.

Ormandy is the researcher who disclosed a bug in Windows' Help and Support Center just five days after reporting it to Microsoft. Ormandy said he took the bug public when Microsoft wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it had only told Ormandy it needed the rest of that week to decide.

The resulting debate over Ormandy's actions grew heated at times , as some researchers defended his actions while others criticized him for revealing information that later was used by hackers to attack Windows PCs.

After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.

Microsoft plugged Ormandy's vulnerability on July 13 as part of that month's Patch Tuesday. Microsoft did not credit Ormandy, or anyone else for that matter, in the MS10-042 advisory that accompanied the Help and Support Center patch.

At the time, Microsoft reiterated that that was standard practice, and had nothing to do with Ormandy specifically.

"When a security researcher is acknowledged in one of Microsoft's monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately," said Jerry Bryant, a group manager with the MSRC, in a e-mail reply to questions last month. "The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations."

Bryant's language was identical to policies Microsoft has spelled out on its Web site.

The four flaws that Ormandy said will be acknowledged were reported privately to Microsoft, Bryant intimated. "Credit given in our bulletins is always based on the finder working with us to keep vulnerability details private until the update goes out," he said Friday. "The August bulletins will not deviate from normal process."

Bryant declined to confirm that Ormandy will, in fact, receive credit for several vulnerabilities. "As usual, we cannot discuss details of bulletins, beyond the [advanced notification] and yesterday's blog post, until they are released," he said.

Ormandy did not reply to questions about when he reported the vulnerabilities to Microsoft, and whether he thought it meant anything more than Microsoft following its usual practice.

Andrew Storms, director of security operations for nCircle Security, noted that researchers typically receive a heads-up several days prior to a Patch Tuesday that will include fixes for bugs they have privately reported.

French security researcher Matthieu Suiche said Friday that he would also receive credit for reporting four vulnerabilities on Tuesday's fix list. "Apparently I'm getting only 4 credits too," he said on Twitter .

Suiche, who now has his own security consultancy, MoonSols , has worked for EADS, the European Aeronautic Defence and Space Company; the Netherlands Forensics Institute of the Dutch Ministry of Justice; and, according to his LinkedIn profile, participated in Google's Summer of Code, a program that provides student developers stipends to write code for open-source projects.

Storms assumed that there was nothing under the surface about Ormandy receiving credit next week. "It would be pure speculation if Microsoft is patching his bugs any quicker than others," Storms said in an interview conducted via instant message. "In fact, I don't think I'd touch that topic with a 10-foot pole. But we can certainly be certain that Microsoft is keeping the conversation open and often with Tavis."

Bryant declined to respond to additional questions, including whether Microsoft was giving Ormandy's vulnerabilities higher priority than other researchers' bugs.

That didn't surprise Storms. "I think everyone wants to keep the relationship open and professional as much as possible," he said.

Last month, Microsoft urged others to drop the term "responsible disclosure" and instead substitute "coordinated vulnerability disclosure" (CVD) to describe the collaboration between researchers and vendors.

According to Mike Reavey, the director of the MSRC, the name change would eliminate the loaded word "responsible" from the debate about how researchers report bugs and how and when companies provide patches.

In an interview two weeks ago, Reavey denied that the name change was triggered by the Ormandy disclosure, saying that Microsoft had been working with outside researchers and security experts for months before the June brouhaha.

On Aug. 10, Microsoft will release 14 updates -- 8 labeled "critical" and 10 affecting Windows -- that will patch 34 bugs.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftGoogletwitteroperating systemssoftwareWindowsMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?