Supporters of Tavis Ormandy believe that his decision to spoon-feed attackers a play-by-play exploit to infect your computers was justified. And they're upset with what they deem bad press. Here are the two primary beefs they have:
1. Microsoft refused to give in to Tavis' demand to set their development schedule.
Rebuttal: Microsoft has customers and shareholders to which they must answer. Had Tavis followed the normal disclosure procedure, he would have stated his timeframe and then only released after/if the vendor (in this case, Microsoft) missed the deadline. The vendor doesn't agree or disagree with the timeline; they still get to set their own development schedule. 45-60 days warning is the norm. Not 4 or 5 days, and certainly not 2 working days.
This balance is practiced in both full and responsible disclosure by the majority of legitimate security researchers. This balance gives the vendor time to fully research the issue and the exploit is kept out of the hands of attackers for a pre-determined period of time. In the interim, users are kept out of the line of fire. Microsoft didn't fail here; Tavis did.
2. Journalists are calling out Google in their articles.
Rebuttal: Like it or not, Tavis IS a Google employee. A member of the Google security team no less. His efforts to create and irresponsibly disclose attacks that are used on innocent people (most of whom are Google users in one way or another) DO reflect (very poorly) on his employer. And it's certainly not as if Google could have been unaware of his background when they hired him.
Tavis' exploit writing began around 2004. He became an intern for Google in June 2006 after which, at some point, he became a full-time employee on the Google security team. It seems unlikely Google was not aware of his actions. After all, in Tavis' own words, here are the things he is most proud of:
"The vulnerabilities I'm most proud of are probably my attack against gpg signed messages, and my zlib heap overflow vulnerability."
"Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony psp and the apple iphone."
As an aside, let me just point out that these comments make it readily apparent that Tavis is fully, completely aware of the ramifications of releasing exploit code. He himself refers to them as attacks and acknowledges they are used against innocent users.
The longer Tavis works at Google, the worse he becomes. In the beginning, or at least when he confined his exploit writing to his pet open source projects, he did practice responsible disclosure. Here's an example comment from one of his earlier efforts in 2006:
Tavis Ormandy again poked on gpg and found this vulnerability.
The new version has been released yesterday and should by now be
available on all mirrors.
Note that he posted the exploit only after a patch had been provided. This demonstrates that Tavis is fully accepting and understanding of responsible disclosure when it suits him.
Tavis didn't start delving into Windows until after October 2008, two years after starting work for Google. Based on how/where some of those were published, it looks as if he may have been double-dipping, engineering exploits while employed by Google and then selling them to exploit-for-hire consultancies. No complaints there though, as at least that kept them out of harm's way.
His power play (demanding xx response in xx time) - which is at the heart of this controversy - doesn't seem to have started until much more recently, after he graduated to bigger fish like Microsoft and Sun.
Remember, he did pretty much the same thing with Sun over the April 2010 Javaws exploit. Same consequences too - he gave Sun only a few days, after which he rushed to publish a ready-made exploit. And a few days later innocent Web surfers started getting screwed. Just like this time around with Microsoft. The only constant in both attacks has been Tavis Ormandy.
When you look at this pattern, it's pretty hard to understand Tavis or his defenders. What we have is a guy who discloses responsibly when he feels like it, (i.e. it's a company he likes or it's too small to get him any publicity), but irresponsibly discloses when it's a company he doesn't like (or is big enough to gain him wide publicity).
And for most of this time, he's been employed by Google, either as an intern or as a full-time member of their security team. Meantime, Google stands idly by and does nothing. And Tavis just keeps getting worse. It's pretty hard not to question whether there's a link. IS this behavior he's learning as he goes along? As a Google employee. You know, do no evil. Except when it involves the mass Internet population and a major competitor.
Tavis keeps an up-to-date list of his exploit writing, should you wish to check out this pattern yourself.