undefined | Better HN

0 pointsarghwhat8y ago0 comments

Care to explain the comment about Apple? I can think of a few companies (DJI, for example) that try to screw over security researchers, but big IT companies usually don't go on the list.

0 comments

lawnchair_larry8y ago

Most of the big companies will take their sweet time to fix something if it suits them. Not always, but sometimes they just won't feel like getting around to it, and they know that as a "responsible" researcher, you will keep your mouth shut about it. I'm talking like a year. I've seen this with the "researcher friendly" companies.

In my opinion, there's a point at which it becomes irresponsible to let them sit on issues for so long, but their newspeak for the disclosure policy tries to pre-empt that idea.

arghwhatOP8y ago

I have heard of many incidents like this from various companies, but not Apple that I know of.

But yes, responsible disclosure includes a deadline (60 days?). Flexibility granted if the company truly needs it, and the nature of the vulnerability requires discretion until fixed. A major widespread flaw with no workaround short of air-gapping the machine would be wise to keep secret until fixed.

lawnchair_larry8y ago

90 days, and Apple in fact are a noteworthy example. They have repeatedly missed the deadline and had full disclosure by GPZ, with widespread flaws, complete with exploit code.

Microsoft are the other big one.

The "right" thing is far more complicated than people who have no experience working with vendors to fix bugs like to assert.

There is some game theory here. The rationale is that if vendors know that GPZ will sit on their vuln until it is fixed, they are not forced to take the deadline seriously. For that reason, GPZ must remain firm on their deadlines, and everyone knows that if you try to call their bluff, you are going to lose that bet and have an even bigger mess.

saagarjha8y ago

That's when you put a clear timeline for how long you will wait before disclosing when you report these bugs.

j / k navigate · click thread line to collapse

0 comments

lawnchair_larry8y ago

In my opinion, there's a point at which it becomes irresponsible to let them sit on issues for so long, but their newspeak for the disclosure policy tries to pre-empt that idea.

arghwhatOP8y ago

I have heard of many incidents like this from various companies, but not Apple that I know of.

lawnchair_larry8y ago

90 days, and Apple in fact are a noteworthy example. They have repeatedly missed the deadline and had full disclosure by GPZ, with widespread flaws, complete with exploit code.

Microsoft are the other big one.

The "right" thing is far more complicated than people who have no experience working with vendors to fix bugs like to assert.

saagarjha8y ago

That's when you put a clear timeline for how long you will wait before disclosing when you report these bugs.

j / k navigate · click thread line to collapse