Risk & Repeat: Critical Windows bug triggers disclosure debate

To tweet, or not to tweet -- that is the question for security researchers who discover vulnerabilities that haven't yet been patched and disclosed.

Last week, Tavis Ormandy of Google's Project Zero announced via Twitter that he and colleague Natalie Silvanovich "just discovered the worst Windows remote code exec in recent memory." Ormandy went on to tweet additional information about the Windows bug, including that related attacks work on default installations of the OS and are wormable.

While Ormandy didn't divulge any specific technical details about the Windows bug, some IT professionals took exception to his tweeting about the vulnerability before it was patched. They argued tweeting about the vulnerability before its official disclosure could create unnecessary alarm for users, and questioned what value Ormandy's tweet provided to vendors and enterprise security teams.

Others, meanwhile, argued such tweets could be beneficial by raising awareness about a soon-to-be disclosed vulnerability and forthcoming patch, and could pressure the vendor into responding faster to the bug report.

While Microsoft quickly addressed the Windows bug report and released an out-of-band patch on Monday, Apr. 8, the discussion around Ormandy's tweet and the rules of responsible vulnerability disclosure continues.

In this week's Risk & Repeat podcast, editors Rob Wright and Peter Loshin discuss the concern over Ormandy's tweet; the ethics of responsible disclosure; and the role the media, enterprises and users play in the debate.