Google seems to have violated its own prime directive with the premature disclosure and publishing of attack code by one of its researchers. According to this story in ComputerWorld, a Swiss Google researcher Tavis Ormandy gave Microsoft just 5 days before publishing the zero day vulnerability with attack code. This is just outrageous.
You can tell me that Ormandy did this without Google’s knowledge and consent. If that is so, they should fire him tomorrow. If it is not true, shame, shame, shame on Google. Allowing their Microsoft-phobic psyche make them violate their own prime directive to “do no evil”.
When two security researchers that I have a tremendous amount of respect for, Andrew Storms and Robert “R-Snake” Hansen are quoted saying things like:
"This stinks of retribution," said Hansen. "If Google really goes by responsible disclosure, they should fire Ormandy today." Hansen noted that Ormandy credited other Google security researchers for their help and linked to a Google blog on browser security in his message on Full Disclosure. "You shouldn't do that if you want to disassociate yourself from your employer."
That's impossible, argued Andrew Storms, director of security operations at nCircle Security. "[As a security researcher] you can't really separate your work from your employer. So you have to wonder if [Ormandy isn't intentionally feeding the feud between Google and Microsoft."
Like Hansen, Storms questioned Ormandy's decision to reveal his findings just five days after he reported the vulnerability to Microsoft. "You can't say in this case that the vendor was sitting on their hands, not being responsive, which is why researchers usually go public, to force [a vendor's] hand.
"This is no better than not reporting it to Microsoft," concluded Storms.
You know that what was done here was very bad and evil. Another example is that Google gives lip service to responsible disclosure while their employee had this to say about it:
He also slammed the concept of "responsible disclosure," a term that Microsoft and other vendors apply to bug reports that are submitted privately, giving developers time to craft a patch before the information is publicly released.
"This is another example of the problems with bug secrecy (or in PR speak, 'responsible disclosure')," Ormandy said. "Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers."
I am telling you, if Google does not fire this dude then their words about “doing no evil” don’t amount to a hill of beans. If I remember correctly violating the prime directive carries a death penalty even in Star Trek.