No I do not think so then all the people who need some money would be reporting these things just to get funds and overload their system andthen they would never be able to check the validity of all the clqames
-----Original Message----- From: macvisionaries@googlegroups.com [mailto:macvisionaries@googlegroups.com] On Behalf Of Shaf Sent: Thursday, August 13, 2015 11:53 To: macvisionaries@googlegroups.com Subject: Re: Why you shouldn't freak out about scary sounding exploits That's good for you. A wealthy company such as Apple should pay those who find security holes and report to them. On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: > Hello: A lot of companies do have bounties like this. For example, > the company I worked for works on Drupal. There was a bounty > offered through the association. I report stuff like this I find > when it is a problem, not because I want to get paid but because > that's the only way to fix things. I do it because it's the right > thing to do and it helps other people. Any security holes that can > be fixed, regardless of whether or not I get paid helps me (as I'm > obviously using the product) and it helps others as well. > > Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >> Why should I tell Apple of exploits if they don't pay me?? They >> should introduce a bug bounty program. Otherwise I have no >> interest in keeping their bugs confidential. > > >> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >>> With the complexity of OSX and iOS I think if somebody figures >>> out the right combination of tweaks to bypass security they >>> should tell Apple right away and hold off a bit before telling >>> the world. At least give them a chance to fix it before giving >>> a free hand up to the bad guys. Of course that lead time needs >>> to be kinda short as the vulnerability needs to be fixed before >>> some bad folks find it and/or continue to use it. With Apple's >>> automatic updates it can also be a while before a reasonable >>> chunk of the population has installed the patch. So I'd guess >>> 90 days would be pretty reasonable. If a patch hasn't been >>> released by then then it's time to put public pressure on >>> Apple. >>> >>> That said, the oasis of pulchritude hasn't entirely dried up. >>> Yes, there are issues and the popularity of the platform has >>> attracted unwanted attention from certain quarters but at >>> least there seems to be a reasonably good attempt to put locks >>> on all the doors. They just sometimes forget and leave a window >>> open. >>> >>> CB >>> >>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>> I don’t agree with the author. Of course, this is >>>> MacWorld—some amount of Apple butt-kissing is to be >>>> expected—but I find his attitude very worrying. >>>> >>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>> choice of researchers, and privileged authors of the press >>>> shouldn’t be using their personal ethical judgements about >>>> it to suppress public information about flaws simply on that >>>> basis. That alone is reason enough to simply distrust any >>>> further writings of the author. I am personally of the >>>> opinion that we are well past the usefulness of “Responsible >>>> disclosure” as a strategy; giving companies rope, but not >>>> quite enough to hang themselves with, isn’t moving security >>>> forward any faster. >>>> >>>> Second, and more important, a privilege escalation >>>> vulnerability isn’t a problem for advanced users, who >>>> already know what Glen is suggesting, i.e. don’t run dodgy >>>> software. It is precisely those people who have been trained, >>>> per the standard advice, not to type in their passwords when >>>> they are suspicious who will be most hit by the root bypass. >>>> Obviously, better advice would be “Just don’t trust anyone”, >>>> but that’s not how the world works, sadly. I think it’s time >>>> for us to acknowledge that the Mac, once a peaceful >>>> neighbourhood with only the occasional bit of >>>> easily-preventable rogue badness that you could get rid of by >>>> just clicking “No” or “Cancel” or whatever, is now >>>> increasingly occupied by bad software that is >>>> well-advertised, easily installed and hard to recognise by a >>>> lot of inexperienced people, and anybody giving a Mac to >>>> somebody to keep them (the recipient) quiet and out of their >>>> (the donor’s) hair now needs to hold Apple’s once glorious >>>> patch turnaround times to account. This is *especially* true >>>> if the donor has delivered the Mac with a limited user >>>> account and all necessary software already installed or only >>>> accessible from the Mac App Store, because as soon as Flash >>>> becomes the vector, we’re all finished. >>>> >>>> Microsoft have learned their security lessons the hard and >>>> painful way, and now it’s Apple’s turn. Please don’t give >>>> apologists fodder for their absurd denials. >>>> >>> > > > > -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
