A new anti-Microsoft security watchdog group has popped up in response to the way the software giant has negatively treated researchers in the past.
The organization is dubbing itself the Microsoft-Spurned Research Collective — a play on the Microsoft Security Response Center. Last week, the group published information abotu an unpatched Windows flaw in Vista and Server 2008.
“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective,” the group said via a message posted to the Full Disclosure
security mailing list. “MSRC wil fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”
Tavis Ormandy is a Google security engineer who publicly disclosed a Windows bug last month after Microsoft failed to commit to a patching deadline.
The group's posting on Fully Disclosure indicates that it has six members, but is operating anonymously.
Some may have a problem with that fact, but I do not. It might even attract some researchers within Microsoft to join and disclose serious flaws that can impact both consumers and businesses.
I don't agree with Microsoft's practice to restrict the disclosure of bugs while it is still trying to fix them. The quicker news of the bugs spread, the quicker consumers and businesses can be on alert. You can bet some malicious hackers will already know about these flaws, so there's no point is keeping the public unaware.
The benefit of fully disclosing these security flaws far outweigh the harm that might be done by the malicious hackers who learn about these bugs in the press.
Here's hoping the group continues to expand. It will certainly help Microsoft improve its security fix response time.