“improperly”?
-
I think the difference in my point is this: I don't see this as a disclosure, I see this as a disclosure to the developers working there who aren't magically more powerful than the developers working on OSS. I reject the notion that throwing more money at it fixes the problem
That does not make it OK that this happened, nor does it mean the reporter is responsible for the problem (that very squarely falls on Apple's shoulders), but I do think that it is only fair that the developers be given a chance to correct before it is made publich
-
-
That said, I think all disclosures should come with a timer. There are far too many stories of disclosures being ignored for months or even years
-
TL;DR: Working for a billion dollar company does not magically give you anti-security issue super powers as much as we would like it to. If private disclosure makes sense for OSS, it makes sense for private companies as well.
- 2 more replies
New conversation -
-
-
I don’t think it’s fair to keep users in the dark and unable to do anything to protect themselves
-
The fact that there was an easy user-actionable protection in this case is extremely rare, and was not known at the time that this went down.
End of conversation
New conversation -
-
-
Bear in mind the bug was out there ready. Getting the word out is not in Apple's interest and is not what they would do (more likely, silent patch). Getting the word out protects people.
-
There should definitely be a CVE. I would argue that the reporter *should* publicly make a fuss if there isn't one after a patch is released
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.