Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

He is foolish if he did not expect this. My guess is he's doing it for the notoriety and succeeded.

A job well done.

Next time he either should submit a bug report to Apple or avoid using their products.



when you submit a security related bug report to apple - granted my experience dates from 99-2005 - you get: A/ ignored (mail auto reply "we might fix it, don't tell anyone or we'll go after you" B/ bug don't get fixed for 2 or 3 years C/ bug get fixed, you get no credits


I don't know why this is being downvoted. Apple is notoriously horrible at fixing vulnerabilities reported by the general public, unless they're downright critical.


"Unless they're downright critical or enable jailbreaking", you mean.


In fairness, many of the bugs which enable jailbreaking also represent serious security problems. For instance, the various iterations of web-based exploits fundamentally do represent remote code execution, a serious bug in any browser environment. On any other platform, we'd classify them exclusively as security vulnerabilities; however, on iOS, the user has to take advantage of security vulnerabilities to break into their own system.


s/many/all/


Not necessarily. Remote exploits, definitely, but entirely local jailbreaks that require booting the phone into a specialized firmware-loading mode don't actually impact the user's security, just Apple's anti-tampering guards against the user.


Wrong. The first jailbreak was done because the iPhone trusted the restore mode commands coming from iTunes. The protocol was totally reworked so that the iPhone would only run some canned scripts. This did nothing to improve device security (it pretty much only enabled the jailbreak), but Apple fixed it fast.


FWIW, I've submitted a couple of (relatively minor) ones in the last couple of years. They were each fixed in the next update and I was credited in the security release notes.


I don't know about the timeframes you quoted but the apple security advisories do credit the researchers. See some of the entries here: http://support.apple.com/kb/HT5002


Submitting a security bug report to the Chromium project was a delight compared to submitting one to Apple. It was obvious that the engineers working on Chromium cared about the problem and were competent. On the other hand, I mightaswell have been reporting the Apple bug to a brick wall or a black hole.


Odd use of the word "competent", you implying Apple personnel aren't competent because they didn't send a message saying "thank you" with gold stars all over it?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: