Why should I tell Apple of exploits if they don't pay me?? They should introduce a bug bounty program. Otherwise I have no interest in keeping their bugs confidential.
On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: > With the complexity of OSX and iOS I think if somebody figures out the > right combination of tweaks to bypass security they should tell Apple > right away and hold off a bit before telling the world. At least give > them a chance to fix it before giving a free hand up to the bad guys. Of > course that lead time needs to be kinda short as the vulnerability needs > to be fixed before some bad folks find it and/or continue to use it. > With Apple's automatic updates it can also be a while before a > reasonable chunk of the population has installed the patch. So I'd guess > 90 days would be pretty reasonable. If a patch hasn't been released by > then then it's time to put public pressure on Apple. > > That said, the oasis of pulchritude hasn't entirely dried up. Yes, there > are issues and the popularity of the platform has attracted unwanted > attention from certain quarters but at least there seems to be a > reasonably good attempt to put locks on all the doors. They just > sometimes forget and leave a window open. > > CB > > On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >> I don’t agree with the author. Of course, this is MacWorld—some >> amount of Apple butt-kissing is to be expected—but I find his attitude >> very worrying. >> >> First, “Responsible disclosure” vs “Full disclosure” is a choice of >> researchers, and privileged authors of the press shouldn’t be using >> their personal ethical judgements about it to suppress public >> information about flaws simply on that basis. That alone is reason >> enough to simply distrust any further writings of the author. I am >> personally of the opinion that we are well past the usefulness of >> “Responsible disclosure” as a strategy; giving companies rope, but not >> quite enough to hang themselves with, isn’t moving security forward >> any faster. >> >> Second, and more important, a privilege escalation vulnerability isn’t >> a problem for advanced users, who already know what Glen is >> suggesting, i.e. don’t run dodgy software. It is precisely those >> people who have been trained, per the standard advice, not to type in >> their passwords when they are suspicious who will be most hit by the >> root bypass. Obviously, better advice would be “Just don’t trust >> anyone”, but that’s not how the world works, sadly. I think it’s time >> for us to acknowledge that the Mac, once a peaceful neighbourhood with >> only the occasional bit of easily-preventable rogue badness that you >> could get rid of by just clicking “No” or “Cancel” or whatever, is now >> increasingly occupied by bad software that is well-advertised, easily >> installed and hard to recognise by a lot of inexperienced people, and >> anybody giving a Mac to somebody to keep them (the recipient) quiet >> and out of their (the donor’s) hair now needs to hold Apple’s once >> glorious patch turnaround times to account. This is *especially* true >> if the donor has delivered the Mac with a limited user account and all >> necessary software already installed or only accessible from the Mac >> App Store, because as soon as Flash becomes the vector, we’re all >> finished. >> >> Microsoft have learned their security lessons the hard and painful >> way, and now it’s Apple’s turn. Please don’t give apologists fodder >> for their absurd denials. >> > -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
