-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello: A lot of companies do have bounties like this. For example, the company I worked for works on Drupal. There was a bounty offered through the association. I report stuff like this I find when it is a problem, not because I want to get paid but because that's the only way to fix things. I do it because it's the right thing to do and it helps other people. Any security holes that can be fixed, regardless of whether or not I get paid helps me (as I'm obviously using the product) and it helps others as well.
Thanks, On 8/13/2015 2:27 PM, Shaf wrote: > Why should I tell Apple of exploits if they don't pay me?? They > should introduce a bug bounty program. Otherwise I have no > interest in keeping their bugs confidential. > > > On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >> With the complexity of OSX and iOS I think if somebody figures >> out the right combination of tweaks to bypass security they >> should tell Apple right away and hold off a bit before telling >> the world. At least give them a chance to fix it before giving a >> free hand up to the bad guys. Of course that lead time needs to >> be kinda short as the vulnerability needs to be fixed before some >> bad folks find it and/or continue to use it. With Apple's >> automatic updates it can also be a while before a reasonable >> chunk of the population has installed the patch. So I'd guess 90 >> days would be pretty reasonable. If a patch hasn't been released >> by then then it's time to put public pressure on Apple. >> >> That said, the oasis of pulchritude hasn't entirely dried up. >> Yes, there are issues and the popularity of the platform has >> attracted unwanted attention from certain quarters but at least >> there seems to be a reasonably good attempt to put locks on all >> the doors. They just sometimes forget and leave a window open. >> >> CB >> >> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>> I don’t agree with the author. Of course, this is >>> MacWorld—some amount of Apple butt-kissing is to be >>> expected—but I find his attitude very worrying. >>> >>> First, “Responsible disclosure” vs “Full disclosure” is a >>> choice of researchers, and privileged authors of the press >>> shouldn’t be using their personal ethical judgements about it >>> to suppress public information about flaws simply on that >>> basis. That alone is reason enough to simply distrust any >>> further writings of the author. I am personally of the opinion >>> that we are well past the usefulness of “Responsible >>> disclosure” as a strategy; giving companies rope, but not quite >>> enough to hang themselves with, isn’t moving security forward >>> any faster. >>> >>> Second, and more important, a privilege escalation >>> vulnerability isn’t a problem for advanced users, who already >>> know what Glen is suggesting, i.e. don’t run dodgy software. >>> It is precisely those people who have been trained, per the >>> standard advice, not to type in their passwords when they are >>> suspicious who will be most hit by the root bypass. Obviously, >>> better advice would be “Just don’t trust anyone”, but that’s >>> not how the world works, sadly. I think it’s time for us to >>> acknowledge that the Mac, once a peaceful neighbourhood with >>> only the occasional bit of easily-preventable rogue badness >>> that you could get rid of by just clicking “No” or “Cancel” or >>> whatever, is now increasingly occupied by bad software that is >>> well-advertised, easily installed and hard to recognise by a >>> lot of inexperienced people, and anybody giving a Mac to >>> somebody to keep them (the recipient) quiet and out of their >>> (the donor’s) hair now needs to hold Apple’s once glorious >>> patch turnaround times to account. This is *especially* true >>> if the donor has delivered the Mac with a limited user account >>> and all necessary software already installed or only accessible >>> from the Mac App Store, because as soon as Flash becomes the >>> vector, we’re all finished. >>> >>> Microsoft have learned their security lessons the hard and >>> painful way, and now it’s Apple’s turn. Please don’t give >>> apologists fodder for their absurd denials. >>> >> > - -- Take care, Ty twitter: @sorressean web:http://tysdomain.com pubkey: http://tysdomain.com/files/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVzOOtAAoJEAdP60+BYxejrtIH/imR8NkDa+qXCsu9jMf1Tg9+ e6yhkvDuWDAE6x7irob9M8r4GFIZpORxspNmI8fyR7vlz7vzEVSewelqjAdwN5e3 fU4W4G+nUVSgY44JNn4wOdH5cgfO+WtNubMMfDtM0FKXSFkzsF6s+Rdv3DPdWAcX N8+TiItjVFIWroeExY8tr88Gy/l+OwIEhBBcj3QuncJqaeEajVYnidvcvlw3Tq1R RrgrIU7vXLbU1AE9tseOaRFbCySljUfQT90aKtzIczM8xAlqVfaUDEyy00hwvP6c saPhr5xtwhT5EGDjSS4PEan4nLX5kUs2qP7aZYETu1HszfS+7lgrPg4tqQM/4Kg= =sDTZ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
