Month of Apple Bugs
So the Month of Apple Bugs has kicked off and I’m happy about it because I think it will have some positive effects; as the organizers state:
This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform.
But one thing I don’t agree with is that the organizers have stated that they won’t be notifying Apple prior to making the disclosures:
Rarely, the point is releasing them without vendor notification [emphasis added]. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end.
This is completely unethical and a bogus argument to boot. They’ll still get the "automated responses" and there’ll still be "euphemism-heavy advisories"; and when Apple releases the fixes we’ll all still get watered-down descriptions of the faults. If the organizers don’t want to be kept on "hold for insane amounts of time" then they should have set a time-limit after which they’d go public, it’s that simple.
I would suggest that they inform Apple privately and give them 30 days to respond; this interval gives them a reasonable and fair period in which to engineer, test and deliver a fix. If Apple doesn’t supply a fix within 30 days then by all means go public, but if you purposely flood the Internet with detailed information on how to exploit hitherto unknown flaws in Mac OS X you risk doing more harm to users than good. What is so urgent about all this that these flaws must be disclosed right now at absolutely any cost? And if 30 days seems too long to you, why not wait at least 7 days? That’s not long enough for Apple to investigate the flaw then develop, test and deploy the fix, but at least you could then argue that there was a shred of ethics and responsibility in your approach. But purposely throwing out these disclosures tabloid-style? Where are the ethics in that?
They could meet all their stated goals (improving security of the platform, awareness raising etc) and generate a huge amount of publicity while still engaging in ethical and responsible disclosure. Instead, they’ve tarnished the image of a very worthwhile project and have impregnated the whole thing with an air of egocentrism, self-aggrandizement and "script-kiddiness". I hope they change their minds. It’s still not too late.