Month of Apple Bugs (MOAB)
Patrick Coskren
pcoskren at mac.com
Tue Jan 2 16:46:36 PST 2007
On Jan 2, 2007, at 7:28 PM, Robert La Ferla wrote:
> Looks like we will get a bunch of bugs this month and hopefully
> fixes by Apple...
>
> http://projects.info-pull.com/moab
Goodie. I've seen these guys post on Slashdot and one of the Mac OS
security lists, and they really come across as a bunch of smug little
college students looking to take the MacOS fanboys down a notch.
From the site:
> Are the issues being reported to the vendor before public disclosure?
> Rarely, the point is releasing them without vendor notification.
> Although, sometimes we may decide to pass an issue through the
> appropriate people. The problem with so-called 'responsible
> disclosure' is that for some people, it means keeping others on
> hold for insane amounts of time, even when the fix should be
> trivial. And the reward (automated responses and euphemism-heavy
> advisories) doesn't pay off in the end.
I mean, come on, how childish is that? If you really want to force
the point, submit the problem to the vendor with some sort of
deadline. Yeah, it's extortion, but at least the vendor has a
chance. Doing it like this, out of some weird misplaced cynicism, is
just playing "gotcha".
Hopefully, Apple already has a security team to rapidly assess and
deal with "zero-day" vulnerabilities. And hopefully all the bugs
these jokers find are ones that are relatively easy to patch. If
they wind up finding a serious exploit and publicizing it before
Apple can get a fix, out of some mistaken sense that vendor
indifference is the only possible reason for the existence of
security problems, then a lot of people could get screwed. And these
jerks will probably cross their arms, rock back on their heels, and
murmur "told ya."
-Patrick
More information about the MacOSX-talk
mailing list