[tptacek]

When you find critical vulnerabilities in popular antivirus software, you can establish a 90 day publishing schedule, or a requirement not to publish until all related vulnerabilities are fixed, or whatever other policy you deem sensible.

Tavis Ormandy is one of the best known vulnerability researchers in the world; whatever publishing decision he and his team made, I think they probably put more thought into it than any combination of the comments on this HN thread did.

[ikeboy]

It sounds like you're saying he's above criticism for some reason related to fame? That doesn't make sense to me.

If there are details I don't know about that explain it, fine (but it doesn't look like that from what I do see) but arguments over ethics shouldn't be won by appealing to authority.

I might place more stock in your point here if he'd actually given a reason and acknowledge that he's opening up users to exploits, and say it's worth it because of X. As is it doesn't look thought out at all.

[tptacek]

I'm suggesting that the implication you're generating all over this thread that (a) there are hard-and-fast rules for disclosure and (b) Tavis Ormandy has somehow broken them is probably built on something other than firsthand knowledge of how vulnerability research works --- to say nothing of firsthand knowledge of how this particular vulnerability was handled.

[ikeboy]

Google does have a policy not to release within 90 days unless a patch is released, and this does seem to be pointing out a vulnerability that hasn't been patched. What am I getting wrong? Am I misunderstanding something?

Separately, even if they had no such policy or it was an independent researcher, I don't think discussing the ethics of disclosure should be off bounds by someone not directly involved.