Google security engineer Tavis Ormandy is either naïve or disingenuous when he protests that his controversial disclosure of an unpatched Microsoft bug reflects solely on him and not at all on his employer.
Google is simply attempting damage control when it makes the same claim.
The real world doesn't work that way.
The advisory was prompted by the bug's disclosure early Thursday, and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.
Microsoft made no distinction between Ormandy and his employer in a blog post Thursday.
"This issue was reported to us on June 5, 2010 by a Google security researcher and then made public less than four days later, on June 9, 2010," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC). "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."
Microsoft may be milking the Google connection for more than it's worth, but not without justification. Google's position on responsible disclosure is clear, and its employee in this case clearly did not adhere to that position.
Ormandy's attempt to separate the two rings hollow, as with this message from his Twitter account. "The HelpCtr bug today was intended as a personal project. It sucks that work has been dragged into it."
It may suck, but Ormandy did the dragging. He's a Google security researcher who conducted security research about a Google competitor's product. What he wants is to be able to don a separate persona when making public the fruits of that labor.
Google says publicly it wants the same thing, telling CNet in a statement: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."
Not good enough.
What you do on your own time reflects upon your employer whether you or your employer wants it to or not; this has been true since the beginning of time. The closer the connection between your personal activities and your employer's business, the brighter that reflection will become. When, as is the case here, your personal and business activities overlap, your choices are almost always to toe the company line or start polishing the resume.
It won't shock me if Ormandy soon has a lot more time for personal projects.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.