alphaspirit - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Critical Windows bug triggers disclosure debate

Listen to this podcast

This week's Risk & Repeat podcast looks at how a simple tweet about a Windows bug from Project Zero researcher Tavis Ormandy sparked a debate about vulnerability disclosure.

To tweet, or not to tweet -- that is the question for security researchers who discover vulnerabilities that haven't yet been patched and disclosed.

Last week, Tavis Ormandy of Google's Project Zero announced via Twitter that he and colleague Natalie Silvanovich "just discovered the worst Windows remote code exec in recent memory." Ormandy went on to tweet additional information about the Windows bug, including that related attacks work on default installations of the OS and are wormable.

While Ormandy didn't divulge any specific technical details about the Windows bug, some IT professionals took exception to his tweeting about the vulnerability before it was patched. They argued tweeting about the vulnerability before its official disclosure could create unnecessary alarm for users, and questioned what value Ormandy's tweet provided to vendors and enterprise security teams.

Others, meanwhile, argued such tweets could be beneficial by raising awareness about a soon-to-be disclosed vulnerability and forthcoming patch, and could pressure the vendor into responding faster to the bug report.

While Microsoft quickly addressed the Windows bug report and released an out-of-band patch on Monday, Apr. 8, the discussion around Ormandy's tweet and the rules of responsible vulnerability disclosure continues.

In this week's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss the concern over Ormandy's tweet; the ethics of responsible disclosure; and the role the media, enterprises and users play in the debate. 

Next Steps

Risk & Repeat: Symantec strives to restore certificate trust

Risk & Repeat: More Equation Group cyberweapons hit the street

Risk & Repeat: Mozilla joins the Symantec certificate fray

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Did Tavis Ormandy's tweet about the Windows remote code execution vulnerability warrant criticism?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close