He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD
I don’t feel bad for Microsoft, but responsible disclosure is about more than that.
It’s ethical. It gives the developer time to correct an error before it has the potential to affect anyone using their products. When you don’t follow that process, whether one set out by the developer, or a best effort on your part, you are now contributing to the potential harm caused by that vulnerability.
This isn’t universal, and I have no doubt that Microsoft is also partly to blame, but there’s a significant element of attention seeking in the mix here. They could have reached out to other security researchers, validated the findings in private and found another channel to work through. Maybe he tried, but largely it seems like his actions are retaliatory and broadly harmful to anyone who has to administer these products.
I have a lot of respect for security researchers. My job relies on the work they do and the skill it takes to do it. But part of that relies on doing things in a way that minimizes potential harm.
He also intentionally did it the day after patch Tuesday. July 14th is also Patch Tuesday. This is about retribution for him. How you view that is going to depend on your world view. I doubt any of us feel bad for Microsoft though XD
And I fully believe it’d be some kind of justified retribution. The silence from Microslop’s side is deafening.
I don’t feel bad for Microsoft, but responsible disclosure is about more than that.
It’s ethical. It gives the developer time to correct an error before it has the potential to affect anyone using their products. When you don’t follow that process, whether one set out by the developer, or a best effort on your part, you are now contributing to the potential harm caused by that vulnerability.
This isn’t universal, and I have no doubt that Microsoft is also partly to blame, but there’s a significant element of attention seeking in the mix here. They could have reached out to other security researchers, validated the findings in private and found another channel to work through. Maybe he tried, but largely it seems like his actions are retaliatory and broadly harmful to anyone who has to administer these products.
I have a lot of respect for security researchers. My job relies on the work they do and the skill it takes to do it. But part of that relies on doing things in a way that minimizes potential harm.
Microsoft clearly doesn’t care about ethics if they’re putting backdoors in their product…