Comment Re:Target Microsoft (Score 1) 404
> The responsible thing to do when you find a bug is to inform those who are at risk from the bug. Any delay leaves those people at risk unnecessarily, and is irresponsible.
The users were at ~0% risk until the information was disclosed in the wild (with example of exploit). It is likely that this vulnerability has existed undiscovered for months or even years. Waiting an additional 7-10 days to disclose to the world and give Microsoft the ability to patch this (or at least assess the impact) would have been the responsible thing.
If some Google researcher had to track down this vulnerability and it hadn't yet been observed in the wild, it conceivably had ZERO systems at risk. All software has defects and potential vulnerabilities, only the known vulnerabilities actually pose immediate risk. The minute that researcher fully disclosed, every Windows desktop system has become a potential target, whereas immediately before none were at risk (assuming this wasn't in the wild).
The generally accepted responsible practice is to inform the party responsible for fixing the the bug (Microsoft in this case), and give them a reasonable window of time to issue a fix. If they fail to fix in a timely fashion, or it is observed in the wild, then go full disclosure. What this researcher did was flat-out irresponsible, and considering it exposed a business rival's users to more risk, was also a malicious act.
Had the Google researcher found a security flaw in GMail or Google Drive, he most certainly would have informed the appropriate Google product team and kept the vulnerability confidential. Perhaps after resolution the researcher would have released an academic explanation of the flaw and how it was dealt with.