Google+/Dhillon KannabhiranGoogle security researcher Tavis OrmandyOn Sunday, well-known Google security researcher Tavis Ormandy released code that teaches hackers how to crash or gain control over Windows.
It’s his latest move in a long-running skirmish he’s had with the security folks in Redmond. He thinks they take too long to fix bugs that researchers like him find and submit to them.
So, he’s trying to force them to respond faster by finding bugs and telling people about them. In this case, he even wrote an “exploit” and published that too. An exploit is the code hackers use. It’s how they hack.
He’s not being particularly malicious. By publishing the exploit, the good guys can see the problem just as the bad guys can.
Still, there’s a long-standing code-of-ethics in the security world. If you find something broken in someone else’s code, you are supposed to tell the company and give it 30-60 days to fix it before you reveal the hack to the world (called disclosure).
Microsoft has an age-old reputation for doing a poor job with security and Ormandy has been pressing Microsoft for years to be faster about fixing bugs. In Microsoft’s defence, because Windows is popular, lots of hackers report flaws and not all of them are dangerous. So it doesn’t rush to fix every vulnerability someone reports.
Meanwhile, Ormandy also has a reputation. In 2010, he angered many in the security world by only giving Microsoft five days before publishing a vulnerability he found.
Now Ormandy’s employer, Google, has stepped in and sided with Ormandy.
Last week Google said that if its engineers find security flaws in other’s code, they will only wait seven days before disclosing it the world.
Business Insider Emails & Alerts
Site highlights each day to your inbox.