In his security blog posting on the affair, Sophos' Graham Cluley noted that Microsoft acknowledged receipt of the Google engineer's vulnerability report on the same day that he sent it to them.
"So far, so normal. What happened next though is where things get controversial", he said, adding that, in the early hours of June 10, five days after advising Microsoft, the Google researcher decided to make his findings public by posting the details on the Full Disclosure mailing list.
"Ormandy claims that he made details of the vulnerability public, because of the severity of the issue, claiming that he had to post working exploit code to gain attention", said Cluley.
But, he added, five days notice for Microsoft to fix the problem hardly seems like a reasonable amount of time.
"And although Ormandy states in his Full Disclosure post that he does 'not speak or represent anyone but myself', it's no surprise that some are wondering whether this was a responsible way for a Google employee to behave", he noted.
According to Cluley, Microsoft appears to be keen to take the high road in this spat, and has published an advisory for its users while they investigate how to fix the problem.
"I'm sure, however, that they would rather have fixed this vulnerability behind closed doors, without exploit code circulating in the wild, and would have preferred if this Google engineer had acted responsibly", he said.