[citation][nom]adipose[/nom]Bad analogy. A better one would be if he published the information on how to cause the blackout.The end result may be the same, but revealing information is quite different from actually being the attacker.MS had 5 days to give a timetable for fixing it, but would not do so during that time (I believe he was requesting 30 days). Now that he released it, they fix it in almost no time at all. Sure seems like they could have committed to fixing it in 30 days time.Those that find security flaws have to have some kind of assurance by the company that the flaw will be fixed, if they are going to cooperate with them. If the company refuses to give that assurance, then why should the security "analyst" play nice?That said, I don't agree with the action. He could have demanded the 30 day timetable, and if he didn't get it, released on day 30. Instead it seems he got mad and released it the same day when MS wouldn't play ball. Even if MS wouldn't commit to 30 days they might very well have met that goal (as they clearly were capable of).[/citation]
I have to agree with you. 30 days is plenty of time to fix the problem or if your not able to fix it at least call the guy back and say hey were working on it, give us a few more days.
To release it after only 5 days makes this guy a asshole. I hate people that qoute comic books but it the old "with great power, come great responcibility" thing. just becuase you can doesnt mean you should. so if this guy is a security researcher at google, then he is a tool.
I would have simply told microsoft about the exploit, given them thirty days to fix it, then release the exploit. hell if they told me they were working on it and it was going to take 60 days, i would have cut them some slack, after all there are millions of lines of code to check. To release this in to the wild after only 5 days is stupid. I think that if your a "security researcher" then you have an obligation to withold the exploit for at least 30 day. personly i think this guy is a tool and should be held accountable for all of the systems that were hacked because he could not wait 30 days.