David Maynor, previously known for the disastrous clown car known as the Apple Wifi Hack, posted some info on exploits he’s discovered in the new Safari beta. This is a bit disappointing, but not altogether surprising, considering it’s, ya know, beta software.
What’s more disappointing is this “I don’t like Company A, so being irresponsible is kosher” kind of thinking that Maynor exhibits:
Keeping with our disclosure policy, we do not report bugs to Apple.
And further down:
… in most cases we will give vendors as long as they need to fix problems. If the vendor is unresponsive or make threats, we will give them 30 days then release details. If a vendor answers a vulnerability disclosure with marketing and spin attempts, we no longer report vulnerabilities to that vendor but the information goes into our Hacker Eye View program for customers and will be used in pentesting.
So if you happen to use a product that is made by a company Mr. Maynor decides he doesn’t like, he won’t tell you what the problem is or how to fix it. Unless you pay him. But you will get vague descriptions of the exploit in his official Blogger site.
Two things are problematic with this. First, the fact that Maynor even has a policy like this, one that is so obviously open to abuse via personal preference and emotion. There are bigger things to consider than hurt feelings when dealing with vulnerabilities, like the safety of the people using the exploitable product. Anyone who decides to take on the role of a security “expert” or “adviser” needs to understand that and act accordingly. If they can’t, they need to find a new line of work.
Secondly, the caveat that Maynor is willing to release this info for a price. I won’t make the argument that no exploit information should ever be anything but free — I haven’t thought that one out enough — but I do think it is wrong to only release exploit information about a free, widely distributed, consumer-level application to folks who have paid the toll. This is, I believe, a matter of public safety, and treating it like some kind of mercenary mission demonstrates a disappointing lack of regard towards those who will be most affected by these exploits: the users.
All of us who do work in security need to do a gut check, and make sure we’re doing this for the right reasons. The public good needs to be placed before our greed and our egos.