That's good for you. A wealthy company such as Apple should pay those who find security holes and report to them.
On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: > Hello: A lot of companies do have bounties like this. For example, > the company I worked for works on Drupal. There was a bounty > offered through the association. I report stuff like this I find > when it is a problem, not because I want to get paid but because > that's the only way to fix things. I do it because it's the right > thing to do and it helps other people. Any security holes that can > be fixed, regardless of whether or not I get paid helps me (as I'm > obviously using the product) and it helps others as well. > > Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >> Why should I tell Apple of exploits if they don't pay me?? They >> should introduce a bug bounty program. Otherwise I have no >> interest in keeping their bugs confidential. > > >> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >>> With the complexity of OSX and iOS I think if somebody figures >>> out the right combination of tweaks to bypass security they >>> should tell Apple right away and hold off a bit before telling >>> the world. At least give them a chance to fix it before giving >>> a free hand up to the bad guys. Of course that lead time needs >>> to be kinda short as the vulnerability needs to be fixed before >>> some bad folks find it and/or continue to use it. With Apple's >>> automatic updates it can also be a while before a reasonable >>> chunk of the population has installed the patch. So I'd guess >>> 90 days would be pretty reasonable. If a patch hasn't been >>> released by then then it's time to put public pressure on >>> Apple. >>> >>> That said, the oasis of pulchritude hasn't entirely dried up. >>> Yes, there are issues and the popularity of the platform has >>> attracted unwanted attention from certain quarters but at >>> least there seems to be a reasonably good attempt to put locks >>> on all the doors. They just sometimes forget and leave a window >>> open. >>> >>> CB >>> >>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>> I don’t agree with the author. Of course, this is >>>> MacWorld—some amount of Apple butt-kissing is to be >>>> expected—but I find his attitude very worrying. >>>> >>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>> choice of researchers, and privileged authors of the press >>>> shouldn’t be using their personal ethical judgements about >>>> it to suppress public information about flaws simply on that >>>> basis. That alone is reason enough to simply distrust any >>>> further writings of the author. I am personally of the >>>> opinion that we are well past the usefulness of “Responsible >>>> disclosure” as a strategy; giving companies rope, but not >>>> quite enough to hang themselves with, isn’t moving security >>>> forward any faster. >>>> >>>> Second, and more important, a privilege escalation >>>> vulnerability isn’t a problem for advanced users, who >>>> already know what Glen is suggesting, i.e. don’t run dodgy >>>> software. It is precisely those people who have been trained, >>>> per the standard advice, not to type in their passwords when >>>> they are suspicious who will be most hit by the root bypass. >>>> Obviously, better advice would be “Just don’t trust anyone”, >>>> but that’s not how the world works, sadly. I think it’s time >>>> for us to acknowledge that the Mac, once a peaceful >>>> neighbourhood with only the occasional bit of >>>> easily-preventable rogue badness that you could get rid of by >>>> just clicking “No” or “Cancel” or whatever, is now >>>> increasingly occupied by bad software that is >>>> well-advertised, easily installed and hard to recognise by a >>>> lot of inexperienced people, and anybody giving a Mac to >>>> somebody to keep them (the recipient) quiet and out of their >>>> (the donor’s) hair now needs to hold Apple’s once glorious >>>> patch turnaround times to account. This is *especially* true >>>> if the donor has delivered the Mac with a limited user >>>> account and all necessary software already installed or only >>>> accessible from the Mac App Store, because as soon as Flash >>>> becomes the vector, we’re all finished. >>>> >>>> Microsoft have learned their security lessons the hard and >>>> painful way, and now it’s Apple’s turn. Please don’t give >>>> apologists fodder for their absurd denials. >>>> >>> > > > > -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
