Bejtlich, currently the principal security strategist at Corelight, was formerly with FireEye, transitioning from Mandiant when FireEye bought the company in 2013. In the past, Microsoft and Google have exposed bugs in each other's software, seemingly resorting to tit-for-tat on occasion.
Ormandy said on 12 June, that he was posting details of a bug in SymCrypt, the core library that handles all cryptography on Windows. "It's a DoS, but this means basically anything that does crypto in Windows can be deadlocked (s/mime, authenticode, ipsec, iis, everything). Microsoft committed to fixing it in 90 days, then didn't," he said in tweet.
Today is day 91, so the issue is now public. I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of. https://t.co/KKa7cOMyfw— Tavis Ormandy (@taviso) June 11, 2019
And in a second tweet, he said the issue was now public as it was day 91. "I consider this relatively low severity, but you could take down an entire Windows fleet relatively easily, so it's worth being aware of," he added.
Back came Ormandy's retort: "Those of us actually on the frontlines of vulnerability research deal with something a little different. The Microsoft you're so enamoured with didn't just appear, we had to fight for it. What's petty is hurling insults without even putting in some effort to understand context."
The matter could have ended there but Bejtlich apparently was not prepared to let it go. "I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion," he said. "It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you."
I'm not on the frontlines of vuln research but I care about people who have to deal with the mess you disclosed, needlessly early in my opinion. It's not like Microsoft was ignoring or disrespecting you. Seriously, I expected better from someone who's been around as long as you.— Richard Bejtlich (@taosecurity) June 11, 2019
Ormandy, seemingly someone who likes to get the last word, had more ammunition left. "Vulnerability disclosure is a vast and nuanced field, that you are clearly not familiar with," he tweeted. "Should I start techsplaining your field to you? I know nothing about it, but I can't wait to second guess all the decisions you've made and explain how petty you are. Do better Richard."
And, for good measure, he linked back to a 2015 post in which he had exposed details of a vulnerability in a FireEye product. "That's funny, because I have to deal with the mess that people like you ship to customers," Ormandy wrote. "Amateurish code like FireEye with trivial vulnerabilities, promising desperate customers that if they just give you enough money you'll be secure from the boogeyman."
It looks like Bejtlich isn't planning to continue the spat – as of today, anyway.