-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Generally they do actually pay people who find security problems or payment can be worked out. But finding exploits isn't as easy as tweaking a setting here or there, it takes a lot of work. Usually when you do it there's other reasons behind it--being the one to find an exploit gains you a lot of reputation. Others do it to sell the exploit as a zero-day vuln, which is illegal. On 8/13/2015 2:52 PM, Shaf wrote: > That's good for you. A wealthy company such as Apple should pay > those who find security holes and report to them. > > On 8/13/2015 7:36 PM, Littlefield, Tyler wrote: >> Hello: A lot of companies do have bounties like this. For >> example, the company I worked for works on Drupal. There was a >> bounty offered through the association. I report stuff like this >> I find when it is a problem, not because I want to get paid but >> because that's the only way to fix things. I do it because it's >> the right thing to do and it helps other people. Any security >> holes that can be fixed, regardless of whether or not I get paid >> helps me (as I'm obviously using the product) and it helps others >> as well. >> >> Thanks, On 8/13/2015 2:27 PM, Shaf wrote: >>> Why should I tell Apple of exploits if they don't pay me?? They >>> should introduce a bug bounty program. Otherwise I have no >>> interest in keeping their bugs confidential. >> >> >>> On 8/13/2015 7:10 PM, 'Chris Blouch' via MacVisionaries wrote: >>>> With the complexity of OSX and iOS I think if somebody >>>> figures out the right combination of tweaks to bypass >>>> security they should tell Apple right away and hold off a bit >>>> before telling the world. At least give them a chance to fix >>>> it before giving a free hand up to the bad guys. Of course >>>> that lead time needs to be kinda short as the vulnerability >>>> needs to be fixed before some bad folks find it and/or >>>> continue to use it. With Apple's automatic updates it can >>>> also be a while before a reasonable chunk of the population >>>> has installed the patch. So I'd guess 90 days would be pretty >>>> reasonable. If a patch hasn't been released by then then it's >>>> time to put public pressure on Apple. >>>> >>>> That said, the oasis of pulchritude hasn't entirely dried up. >>>> Yes, there are issues and the popularity of the platform has >>>> attracted unwanted attention from certain quarters but at >>>> least there seems to be a reasonably good attempt to put >>>> locks on all the doors. They just sometimes forget and leave >>>> a window open. >>>> >>>> CB >>>> >>>> On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >>>>> I don’t agree with the author. Of course, this is >>>>> MacWorld—some amount of Apple butt-kissing is to be >>>>> expected—but I find his attitude very worrying. >>>>> >>>>> First, “Responsible disclosure” vs “Full disclosure” is a >>>>> choice of researchers, and privileged authors of the press >>>>> shouldn’t be using their personal ethical judgements >>>>> about it to suppress public information about flaws simply >>>>> on that basis. That alone is reason enough to simply >>>>> distrust any further writings of the author. I am >>>>> personally of the opinion that we are well past the >>>>> usefulness of “Responsible disclosure” as a strategy; >>>>> giving companies rope, but not quite enough to hang >>>>> themselves with, isn’t moving security forward any faster. >>>>> >>>>> Second, and more important, a privilege escalation >>>>> vulnerability isn’t a problem for advanced users, who >>>>> already know what Glen is suggesting, i.e. don’t run dodgy >>>>> software. It is precisely those people who have been >>>>> trained, per the standard advice, not to type in their >>>>> passwords when they are suspicious who will be most hit by >>>>> the root bypass. Obviously, better advice would be “Just >>>>> don’t trust anyone”, but that’s not how the world works, >>>>> sadly. I think it’s time for us to acknowledge that the >>>>> Mac, once a peaceful neighbourhood with only the occasional >>>>> bit of easily-preventable rogue badness that you could get >>>>> rid of by just clicking “No” or “Cancel” or whatever, is >>>>> now increasingly occupied by bad software that is >>>>> well-advertised, easily installed and hard to recognise by >>>>> a lot of inexperienced people, and anybody giving a Mac to >>>>> somebody to keep them (the recipient) quiet and out of >>>>> their (the donor’s) hair now needs to hold Apple’s once >>>>> glorious patch turnaround times to account. This is >>>>> *especially* true if the donor has delivered the Mac with a >>>>> limited user account and all necessary software already >>>>> installed or only accessible from the Mac App Store, >>>>> because as soon as Flash becomes the vector, we’re all >>>>> finished. >>>>> >>>>> Microsoft have learned their security lessons the hard and >>>>> painful way, and now it’s Apple’s turn. Please don’t give >>>>> apologists fodder for their absurd denials. >>>>> >>>> >> >> >> >> >
- -- Take care, Ty twitter: @sorressean web:http://tysdomain.com pubkey: http://tysdomain.com/files/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJVzPjVAAoJEAdP60+BYxejsEsH/RQD/njOgH+4PwMAgwW432Tr 9JJcxHRZPpf4rA7EZQFJHJ9kkogNun7Zw2H9sK7Va3mwCaOWlSVuXlMBjg5PZCAE iXT7QL2mSKQPHjSAdteO5g7SWIQmJ8VDONTX+WBeyWHDjJx2L2IWS9fPPuHyEJoX JlUuioXikrBbqYXISN+jBzvLK3g5JwnDkXUIWiN4B+ZHe2+d08sGJQwXTg/i46W8 PL/VcHYA1SC86usWvXY4khTOQLUFCDC/Q6Q01qg1x/K41ib61v2a9+uVeg9HMQ9z OTwpYLZ00M4dCkc/SMFOgMlbcJz8ydmC654xAqjixmU94flfK3A3YAtOQeWLQKg= =7lHy -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
