Microsoft Spurned Researchers Release 0-Day

nk497 notes the news that a group of researchers calling themselves the Microsoft-Spurned Researcher Collective (the name is a play on Microsoft's Security Response Center) have come together to protest Microsoft's perceived heavy-handedness towards researchers who disclose security flaws. Pushed into action by the reception to the flaw disclosed by Tavis Ormandy, the group has released full details and exploit code for a previously unknown Windows local privilege escalation vulnerability. The advisory for the vulnerability, which affects Windows Vista and Windows Server 2008, contains the following manifesto: "Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer."

Re:Not to side with Microsoft, but...

[Mitsoid]

Unfortunately I'm with the security people on this.

Disclosure of vulnerabilities is the only way to get them fixed. On top of that, how does a "security researcher" validate their claims of finding bugs if they don't release them?

If a researcher gives a week/2 week notice, then releases their information -- as far as I'm concerned their clear -- They gave notice, then published their findings for the community / other researchers. yes it's used by hackers too, but if we hide *everything* we learn less. If someone notices a problem in Microsoft's {insert function here} code, perhaps {Another company} with similar code has the same vulnerability, and would benefit from the knowledge?