Responsible disclosure continues to generate debate, as security and compliance professionals ponder their obligation to notify vendors, the public, or both. The topic came to a boiling point in June when Google security engineer Tavis Ormandy told Microsoft he had discovered a security vulnerability in Windows XP; Microsoft acknowledged receipt of the report. Five days later, Ormandy posted details of the vulnerability and proof-of-concept code to the Full Disclosure list, a move he made due to the severity of the vulnerability, he said. "But five days notice for Microsoft to fix the problem hardly seems like a reasonable amount of time to me," said Graham Cluley, senior technology consultant at Sophos, in a company blog.
In July, Google asked the computer security community to reconsider the meaning of responsible disclosure and to adopt a more rigorous approach in order to respond more quickly to vulnerabilities. "We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the Google security team said.