New group cites "hostility" as justification to publicize critical security vulnerabilities A newly formed gang of rogue security researchers calling itself MSRC (Microsoft-Spurned Researcher Collective) has announced it will publicize any Windows vulnerabilities it finds, rather than reporting them privately to Microsoft for the company to patch. Making good on its threat, the group published in a security advisory a vulnerability that can lead to a local privilege escalation.The group’s misguided justification for its actions: perceived hostility from Microsoft toward security researchers such as Google engineer Tavis Ormandy, who garnered criticism from Microsoft after he exposed a critical bug in Windows before giving the company a chance to fix it. “Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC,” the group’s advisory reads. “MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer.”[ Also on InfoWorld.com: Do cyber-vigilantes make the computing world safer? | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter.] Ormandy’s actions fell into an ethical gray area: He found a flaw that needed patching sooner rather than later — and the Redmond behemoth said (according to Ormandy) it needed 60 days to fix it. In the meantime, any rogue hacker who had also discovered the flaw could surreptitiously abuse it. Ormandy’s actions were arguably justifiable in the name of spurring Microsoft to take necessary action.The MSRC, meanwhile, doesn’t seem to have the IT community’s best interests in mind. Instead of bearing a caped-crusader type of mentality — bending the rules for the greater good — the group’s actions are more Mafia-esque: “You insulted one of our guys. Now we’re gonna hurt youse bad, and we don’t care who gets caught in da crossfire.”Notably, the group implies that it really does want to help users: “We at MSRC would like to help you, the users, work around this issue, but PatchGuard will not allow us ;-(” The criticism of Windows closed nature is pretty blatant there, but again, it doesn’t justify MSRC’s heavy-handed approach. If the MSRC really places users’ interests first and foremost, perhaps it could take a page from Ormandy’s playbook and report vulnerabilities to Microsoft on the condition that the company fix them in a reasonable period of time. The MSRC claims that it is recruiting, by the way, and has a vetting process to ensure no Microsoft employees can join.This article, “Security researchers wage war on Microsoft,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. SecuritySoftware DevelopmentCareersTechnology IndustrySmall and Medium Business