Shocker: Beta software contains bugs! To find out more, pay me

David Maynor, previously known for the disastrous clown car known as the Apple Wifi Hack, posted some info on exploits he’s discovered in the new Safari beta. This is a bit disappointing, but not altogether surprising, considering it’s, ya know, beta software.

What’s more disappointing is this “I don’t like Company A, so being irresponsible is kosher” kind of thinking that Maynor exhibits:

Keeping with our disclosure policy, we do not report bugs to Apple.

And further down:

… in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting.

So if you happen to use a product that is made by a company Mr. Maynor decides he doesn’t like, he won’t tell you what the problem is or how to fix it. Unless you pay him. But you will get vague descriptions of the exploit in his official Blogger site.

Two things are problematic with this. First, the fact that Maynor even has a policy like this, one that is so obviously open to abuse via personal preference and emotion. There are bigger things to consider than hurt feelings when dealing with vulnerabilities, like the safety of the people using the exploitable product. Anyone who decides to take on the role of a security “expert” or “adviser” needs to understand that and act accordingly. If they can’t, they need to find a new line of work.

Secondly, the caveat that Maynor is willing to release this info for a price. I won’t make the argument that no exploit information should ever be anything but free — I haven’t thought that one out enough — but I do think it is wrong to only release exploit information about a free, widely distributed, consumer-level application to folks who have paid the toll. This is, I believe, a matter of public safety, and treating it like some kind of mercenary mission demonstrates a disappointing lack of regard towards those who will be most affected by these exploits: the users.

All of us who do work in security need to do a gut check, and make sure we’re doing this for the right reasons. The public good needs to be placed before our greed and our egos.

  • terry chay
    http://terrychay.com/blog/
    06/12/2007 02:44:06 PM

    “The public good needs to be placed before our greed and our egos.”

    The use of the word, “public good” is very apropos. Unfortunately, free market systems (driven by greed and immune to egos) are not good at pricing “public goods” (e.g. fire, police, national security, roads, airwaves, libraries, schools) in an efficient manner—instead the good is drastically underproduced.

    When you see thinly veiled extortion attempts, it is a natural outcome from an attitude that doesn’t realize that there are limits to rampant capitalism.

  • vid luther
    http://www.phpcult.com/
    06/12/2007 04:19:32 PM

    I concur. I believe what we’re seeing is knee jerk reaction from “fan bois” and “haters”. This guy sounds like he’s going to refuse treatment from an “iFibrillator” just because it’s an apple product.

    Once you cross the line between objective analysis, and zealotry, it’s hard for people to take you seriously, unfortunately.. this also marks the steady decline of your influence, and an increase in your flamebait posts.

    Good post Ed.