Why are those channels “proper”?
-
-
Replying to @hdevalence
Because they don't involve everyone on the internet knowing about the vulnerability before a patch is available and a CVE is issued
2 replies 0 retweets 1 like -
Replying to @sgrif @hdevalence
Manish Retweeted Kevin Beaumont
Manish added,
Kevin BeaumontVerified account @GossiTheDogRegarding people attacking the guy who tweeted#IAmRoot last night - multiple people had already tweeted it, GIFed it, posted it on their forum. The difference is his tweet went viral. He doesn’t work in security. He did the world a favour.Show this thread1 reply 0 retweets 1 like -
Replying to @ManishEarth @hdevalence
I know it had at least been posted on their forum. Was not aware of the other cases. I still stand by the statement that anyone in our industry should know better, and if it was ignorance we need to do a better job of teaching this.
1 reply 0 retweets 0 likes -
Replying to @sgrif @hdevalence
Manish Retweeted Sarah Jamie Lewis
Yeah, I don't think it was ignorance, nor do I think it was immoral (seems like Henry is of the same opinion?) I kinda agree with Sarah here. I personally would privately disclose but I don't consider this specific case immoral to not.https://twitter.com/SarahJamieLewis/status/935700213074817025 …
Manish added,
2 replies 0 retweets 2 likes -
Replying to @ManishEarth @hdevalence
Immoral is much stronger than what I was trying to express.
1 reply 0 retweets 0 likes -
Replying to @sgrif @hdevalence
Improper/immoral/unethical/or basically "wrong" in any way.
1 reply 0 retweets 0 likes -
Replying to @ManishEarth @hdevalence
I think the difference in my point is this: I don't see this as a disclosure, I see this as a disclosure to the developers working there who aren't magically more powerful than the developers working on OSS. I reject the notion that throwing more money at it fixes the problem
1 reply 0 retweets 0 likes -
That does not make it OK that this happened, nor does it mean the reporter is responsible for the problem (that very squarely falls on Apple's shoulders), but I do think that it is only fair that the developers be given a chance to correct before it is made publich
3 replies 0 retweets 1 like -
Replying to @sgrif @hdevalence
Bear in mind the bug was out there ready. Getting the word out is not in Apple's interest and is not what they would do (more likely, silent patch). Getting the word out protects people.
3 replies 0 retweets 1 like
Replying to @ManishEarth @hdevalence
There should definitely be a CVE. I would argue that the reporter *should* publicly make a fuss if there isn't one after a patch is released
3:48 PM - 29 Nov 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.