From ARS Technica

Displeased with the way Microsoft handled the disclosure of a security flaw last month, a group of anonymous researchers has decided to take a more aggressive stance against the company. The group, calling itself the Microsoft-Spurned Researcher Collective (a mockery of Redmond's Microsoft Security Response Center), will perform anonymous full disclosure of any security flaws that it discovers.

The anonymous group asserts that Microsoft has displayed a pattern of hostility towards security researchers, with last month's flaw being the most recent example. Tavis Ormandy, an employee with Google, discovered a flaw in the way that the Windows Help and Support Center in Windows XP handled input. This flaw could be used to attack users of that operating system. Ormandy informed Microsoft of his findings, but after five days deemed the software giant's response inadequate, and so made a full public disclosure of the problem.

This is at odds with the disclosure policy preferred by Microsoft and many other software vendors—including Google. These companies advocate what they call "responsible disclosure," in which communication of the flaw is kept private until a suitable patch or fix can be made available.

[More...] [Comments...]