Valóban az, mert Tavis levelében az olvasható, hogy "Microsoft was informed about this vulnerability on 5-Jun-2010," a full-disclosure levele pedig időzónától függően jún. 9-re vagy 10-re datálódik.
A probléma nem is ott leledzik egyesek szerint, hogy a _javítás_ nem érkezett meg pár nap alatt, hanem az, hogy SA - amiben figyelmeztették volna a legalább a partnereket - sem született. Az SA is csak nyomásra jelent meg június 10-én, miután kitört a balhé. Annak ellenére, hogy Tavis szerint a Microsoft már 5-én megerősítette a hibát "and they confirmed receipt of my report on the same day."
Ha neki nem hiszünk, akkor higgyünk az MSRC-nek:
"This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010. "
A security körökben haragot kiváltó probléma pedig feltehetően:
The security researcher who disclosed this vulnerability has expressed concerns regarding the inclusion of his employer’s name in relation to this vulnerability. While there continues to be a difference of opinion, we have included both this researcher’s view and our view in this blog post. His point of view is that he reported the vulnerability not as an employee, but as an individual action by him as an independent researcher.
At Microsoft we do not believe that its feasible to disassociate the two. We believe the actions of employees, when related to the work they are doing at a technology company, should reflect the policies of their employer.
Despite these differences of opinion, we continue an open dialog with this researcher and ask the security researcher community to continue working with us to help protect customers.
--
trey @ gépház