No clue what 'clqames' means. Either way, your argument is flawed. That's like saying everybody who wants a job shouldn't work for the money otherwise the job market would be overloaded and employees wouldn't be filtered by quality.
On 8/13/2015 8:25 PM, george b wrote: > No I do not think so then all the people who need some money would be > reporting these things just to get funds and overload their system andthen > they would never be able to check the validity of all the clqames > > -----Original Message----- > From: macvisionaries@googlegroups.com > [mailto:macvisionaries@googlegroups.com] On Behalf Of Shaf > Sent: Thursday, August 13, 2015 11:53 > To: macvisionaries@googlegroups.com > Subject: Re: Why you shouldn't freak out about scary sounding exploits > > That's good for you. A wealthy company such as Apple should pay those > who find security holes and report to them. > > On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: >> Hello: A lot of companies do have bounties like this. For example, >> the company I worked for works on Drupal. There was a bounty >> offered through the association. I report stuff like this I find >> when it is a problem, not because I want to get paid but because >> that's the only way to fix things. I do it because it's the right >> thing to do and it helps other people. Any security holes that can >> be fixed, regardless of whether or not I get paid helps me (as I'm >> obviously using the product) and it helps others as well. >> >> Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >>> Why should I tell Apple of exploits if they don't pay me?? They >>> should introduce a bug bounty program. Otherwise I have no >>> interest in keeping their bugs confidential. >> >> >>> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >>>> With the complexity of OSX and iOS I think if somebody figures >>>> out the right combination of tweaks to bypass security they >>>> should tell Apple right away and hold off a bit before telling >>>> the world. At least give them a chance to fix it before giving >>>> a free hand up to the bad guys. Of course that lead time needs >>>> to be kinda short as the vulnerability needs to be fixed before >>>> some bad folks find it and/or continue to use it. With Apple's >>>> automatic updates it can also be a while before a reasonable >>>> chunk of the population has installed the patch. So I'd guess >>>> 90 days would be pretty reasonable. If a patch hasn't been >>>> released by then then it's time to put public pressure on >>>> Apple. >>>> >>>> That said, the oasis of pulchritude hasn't entirely dried up. >>>> Yes, there are issues and the popularity of the platform has >>>> attracted unwanted attention from certain quarters but at >>>> least there seems to be a reasonably good attempt to put locks >>>> on all the doors. They just sometimes forget and leave a window >>>> open. >>>> >>>> CB >>>> >>>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>>> I don’t agree with the author. Of course, this is >>>>> MacWorld—some amount of Apple butt-kissing is to be >>>>> expected—but I find his attitude very worrying. >>>>> >>>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>>> choice of researchers, and privileged authors of the press >>>>> shouldn’t be using their personal ethical judgements about >>>>> it to suppress public information about flaws simply on that >>>>> basis. That alone is reason enough to simply distrust any >>>>> further writings of the author. I am personally of the >>>>> opinion that we are well past the usefulness of “Responsible >>>>> disclosure” as a strategy; giving companies rope, but not >>>>> quite enough to hang themselves with, isn’t moving security >>>>> forward any faster. >>>>> >>>>> Second, and more important, a privilege escalation >>>>> vulnerability isn’t a problem for advanced users, who >>>>> already know what Glen is suggesting, i.e. don’t run dodgy >>>>> software. It is precisely those people who have been trained, >>>>> per the standard advice, not to type in their passwords when >>>>> they are suspicious who will be most hit by the root bypass. >>>>> Obviously, better advice would be “Just don’t trust anyone”, >>>>> but that’s not how the world works, sadly. I think it’s time >>>>> for us to acknowledge that the Mac, once a peaceful >>>>> neighbourhood with only the occasional bit of >>>>> easily-preventable rogue badness that you could get rid of by >>>>> just clicking “No” or “Cancel” or whatever, is now >>>>> increasingly occupied by bad software that is >>>>> well-advertised, easily installed and hard to recognise by a >>>>> lot of inexperienced people, and anybody giving a Mac to >>>>> somebody to keep them (the recipient) quiet and out of their >>>>> (the donor’s) hair now needs to hold Apple’s once glorious >>>>> patch turnaround times to account. This is *especially* true >>>>> if the donor has delivered the Mac with a limited user >>>>> account and all necessary software already installed or only >>>>> accessible from the Mac App Store, because as soon as Flash >>>>> becomes the vector, we’re all finished. >>>>> >>>>> Microsoft have learned their security lessons the hard and >>>>> painful way, and now it’s Apple’s turn. Please don’t give >>>>> apologists fodder for their absurd denials. >>>>> >>>> >> >> >> >> > -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
