Iria

Tom Ferris is walking a fine line. He could be Microsoft's friend or foe.

Ferris, an independent security researcher in Mission Viejo, Calif., found what he calls a serious vulnerability in Microsoft's Internet Explorer Web browser. He reported it to the software giant on Aug. 14 via the "secure@microsoft.com" e-mail address and has since exchanged several e-mail messages with a Microsoft researcher.

Up to that point, Ferris did everything according to Microsoft's "responsible disclosure" guidelines, which call for bug hunters to delay the announcement of security holes until some time after the company has provided a fix. That way, people who use flawed products are protected from attack, the argument goes.

Last weekend, however, Ferris came close to running afoul of those guidelines by posting a brief description of the bug on his Security Protocols Web site and talking to the media about the flaw. So far, the move has done little more than raise some eyebrows at Microsoft.
___________
Read More / Source: ZDNet