A Google security engineer Tavis Ormandy, tweeted “Apparently I’m getting four credits on Tuesday” — “Ormandy disclosed a bug in Windows’ Help and Support Center. Just five days later Ormandy went public with bug when Microsoft didn’t commit to a patching deadline. Microsoft disputed the claiming that it had only told Ormandy “it needed the rest of that week to decide”.”
Microsoft will now credit his work on four of the 34 bugs slated for patching on Tuesday.
After the incident, Google said researchers should give vendors a 60-day window to patch, then go public with their findings to pressure patching. Not surprisingly, Microsoft has disagreed with setting patch-or-else deadlines.
Last month, Microsoft substituted the term “responsible disclosure” with “coordinated vulnerability disclosure” (CVD) to describe collaboration between researchers & vendors.