[ikeboy]

It sounds like you're saying he's above criticism for some reason related to fame? That doesn't make sense to me.

If there are details I don't know about that explain it, fine (but it doesn't look like that from what I do see) but arguments over ethics shouldn't be won by appealing to authority.

I might place more stock in your point here if he'd actually given a reason and acknowledge that he's opening up users to exploits, and say it's worth it because of X. As is it doesn't look thought out at all.

[tptacek]

I'm suggesting that the implication you're generating all over this thread that (a) there are hard-and-fast rules for disclosure and (b) Tavis Ormandy has somehow broken them is probably built on something other than firsthand knowledge of how vulnerability research works --- to say nothing of firsthand knowledge of how this particular vulnerability was handled.

[ikeboy]

Google does have a policy not to release within 90 days unless a patch is released, and this does seem to be pointing out a vulnerability that hasn't been patched. What am I getting wrong? Am I misunderstanding something?

Separately, even if they had no such policy or it was an independent researcher, I don't think discussing the ethics of disclosure should be off bounds by someone not directly involved.