Microsoft to thank Google researcher for privately reporting Windows bugs

Tavis Ormandy, who kicked off bug reporting debate, to get credit for reporting four flaws

The Google security engineer who stirred up a hornets' nest two months ago after publicizing a critical Windows vulnerability said Friday that Microsoft will credit his work on four of the 34 bugs slated for patching on Tuesday.

"Apparently I'm getting four credits on Tuesday," said Tavis Ormandy in a Twitter message Friday.

Ormandy is the researcher who disclosed a bug in Windows' Help and Support Center just five days after reporting it to Microsoft. Ormandy said he took the bug public when Microsoft wouldn't commit to a patching deadline; Microsoft has disputed that, claiming that it had only told Ormandy it needed the rest of that week to decide.

The resulting debate over Ormandy's actions grew heated at times, as some researchers defended his actions while others criticized him for revealing information that later was used by hackers to attack Windows PCs.

After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.

Microsoft plugged Ormandy's vulnerability on July 13 as part of that month's Patch Tuesday. Microsoft did not credit Ormandy, or anyone else for that matter, in the MS10-042 advisory that accompanied the Help and Support Center patch.

At the time, Microsoft reiterated that that was standard practice, and had nothing to do with Ormandy specifically.

"When a security researcher is acknowledged in one of Microsoft's monthly security bulletins, it means that the vulnerability was reported to the Microsoft Security Response Center (MSRC) privately," said Jerry Bryant, a group manager with the MSRC, in an e-mail reply to questions last month. "The acknowledged individual or organization security researcher worked with us to help us understand the vulnerability, the extent of the risk to the products and platforms, and possible mitigations."

Bryant's language was identical to policies Microsoft has spelled out on its Web site.

The four flaws that Ormandy said will be acknowledged were reported privately to Microsoft, Bryant intimated. "Credit given in our bulletins is always based on the finder working with us to keep vulnerability details private until the update goes out," he said Friday. "The August bulletins will not deviate from normal process."

Bryant declined to confirm that Ormandy will, in fact, receive credit for several vulnerabilities. "As usual, we cannot discuss details of bulletins, beyond the [advanced notification] and yesterday's blog post, until they are released," he said.

Ormandy did not reply to questions about when he reported the vulnerabilities to Microsoft, and whether he thought it meant anything more than Microsoft following its usual practice.

Andrew Storms, director of security operations for nCircle Security, noted that researchers typically receive a heads-up several days prior to a Patch Tuesday that will include fixes for bugs they have privately reported.

French security researcher Matthieu Suiche said Friday that he would also receive credit for reporting four vulnerabilities on Tuesday's fix list. "Apparently I'm getting only 4 credits too," he said on Twitter.

Suiche, who now has his own security consultancy, MoonSols, has worked for EADS, the European Aeronautic Defence and Space Company; the Netherlands Forensics Institute of the Dutch Ministry of Justice; and, according to his LinkedIn profile, participated in Google's Summer of Code, a program that provides student developers stipends to write code for open-source projects.

Storms assumed that there was nothing under the surface about Ormandy receiving credit next week. "It would be pure speculation if Microsoft is patching his bugs any quicker than others," Storms said in an interview conducted via instant message. "In fact, I don't think I'd touch that topic with a 10-foot pole. But we can certainly be certain that Microsoft is keeping the conversation open and often with Tavis."

Bryant declined to respond to additional questions, including whether Microsoft was giving Ormandy's vulnerabilities higher priority than other researchers' bugs.

That didn't surprise Storms. "I think everyone wants to keep the relationship open and professional as much as possible," he said.

Last month, Microsoft urged others to drop the term "responsible disclosure" and instead substitute "coordinated vulnerability disclosure" (CVD) to describe the collaboration between researchers and vendors.

According to Mike Reavey, the director of the MSRC, the name change would eliminate the loaded word "responsible" from the debate about how researchers report bugs and how and when companies provide patches.

In an interview two weeks ago, Reavey denied that the name change was triggered by the Ormandy disclosure, saying that Microsoft had been working with outside researchers and security experts for months before the June brouhaha.

On Aug. 10, Microsoft will release 14 updates -- 8 labeled "critical" and 10 affecting Windows -- that will patch 34 bugs.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

The march toward exascale computers
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies