Microsoft Spurned Researchers Release 0-Day

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Re:So...

[sonnejw0]

Motives be damned, as far as Microsoft knows, anyone that discovers a security vulnerability is a potential extortionist and they'll treat you that way.

What is it these people are looking for from Microsoft? Recognition that they found a vulnerability that anyone else could have found? Money or employment, maybe a resume booster? Why would anyone BOTHER to go looking for vulnerabilities in the largest operating system in the world for ALTRUISTIC reasons? It doesn't make sense. Did they expect anything other than being "spurned"? Honestly ...