Community support for Tavis Ormandy, security researcher

The highly-publicized disclosure of a 0-day Microsoft vulnerability by Tavis Ormandy has divided security researchers.

While some deem his action irresponsible, others support it. Among those who think he did the right thing is a group of security researchers who formed the Microsoft-Spurned Researcher Collective.

In a security advisory published on Monday, they revealed the details of an unpatched 0-day flaw affecting Windows Vista and Windows Server 2008 that has been discovered last week by VUPEN Security.

“Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective,” they revealed in the advisory. “MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”

They didn’t disclose their names, but have offered a workaround for the issue that only Microsoft can implement. They also posted a contact email so that anyone who wants to “responsibly disclose a vulnerability through full disclosure” or wants to join their team, can contact them – though they made it clear that Microsoft employees needn’t apply.