There appears to be a great story behind the latest IE 0-day exploit (worth a read).
Here’s how it goes:
Google has been the loudest proponent for responsible disclosure in the past. But if you look at the dates in his post, he says he reported it to Microsoft on the 5th of June (a Saturday), who responded the same day. He sent the advisory early in the morning today the 10th of June – meaning Google gave Microsoft less than 5 days to fix it. Even Mozilla backed down from 10 day turn around, and they’re only running a single software suite. How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure? And it’s not like Tavis was acting on his own – he credits other security researchers inside of Google for their help. So apparently it’s okay for Google to go full disclosure, but not for other researchers. The hypocrisy is amazing.
It really is.
In his defense however, I’d like to post the following line (taken from Tavis page): “Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself.”
About (Author Profile)
Vygantas is a former web designer whose projects are used by companies such as AMD, NVIDIA and departed Westood Studios. Being passionate about software, Vygantas began his journalism career back in 2007 when he founded FavBrowser.com. Having said that, he is also an adrenaline junkie who enjoys good books, fitness activities and Forex trading.