14 DAY TRIAL // Google security engineer Tavis Ormandy claims the "several improvements" he is credited for in the latest Flash Player security bulletin are actually 400 vulnerabilities.
"Adobe patched around 400 unique vulnerabilities I had sent them in APSB11-21 as part of an ongoing security audit. Not a typo," the researcher wrote on Twitter.
"Apparently that number was embarrassingly high, and they're trying to bury the results, so I'll publish my own advisory later today," he added.
Ormandy's comments prompted a response from Wiebke Lips, senior manager of corporate communications at Adobe, who appeared to question the researcher's claims.
"Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" the spokeswoman wrote in a tweet that she later deleted.
Ormandy replied that this has nothing to do with Google and he just wants recognition for his work. He also claimed that he tried unsuccessfully to get confirmation from Adobe for the past two days that they won't misrepresent the number of vulnerabilities.
The reactions from other security researchers have been mostly positive, with Ormandy being congratulated for his work. "You going to do a blog post? Would be interested to see some of the details. Great work!" said fellow researcher Mark Dowd.
"400 is a huge number so congrats to you and your team! Hope that Adobe is paying Google a few millions to audit Flash ;-)" commented VUPEN's Chaouki Bekrar.
Other security experts were amused by the apparent quarrel between Ormandy and Adobe, pointing out that this is not the first time when the Google engineer generates controversy.
"Google's laissez-faire mentality with regard to @taviso's personal research leads to some hilarious situations. It is fun to watch," said Aaron Portnoy, TippingPoint's security research team manager.
Adobe released Flash Player 10.3.183.5 as a security update yesterday. The accompanying security bulletin listed thirteen critical vulnerabilities but none of them were credited to Tavis Ormandy.