
Researcher reveals huge Mac password flaw to protest Apple bug bounty - markoa
https://venturebeat.com/2019/02/06/researcher-reveals-huge-mac-password-flaw-to-protest-apple-bug-bounty/
======
forgottenpass
>Generally, white hat security researchers publicly reveal flaws like this
only after informing the company and giving it ample time to fix the issues.
But Henze is refusing to assist Apple because it doesn’t offer paid bug
bounties

This is starting to look really bad for the infosec "community." Without
rehashing all the old arguments around disclosure, and the sorta-recent
arguments around bug bounties, we're now at the point where this doesn't not
look like extortion.

"That's an awfully nice operating system you've got there. It'd be a shame if
someone were to disclose a security flaw without giving you ample opportunity
to fix it."

~~~
51lver
This isn't the mob burning someones shop down. This is more like pointing out,
hey dude, your door is open, you should close it.

They don't owe apple anything, and they are not causing the damage (apple's
negligence did). If apple doesn't want to handle this in private, they will
have to handle this in public. I don't see the problem. Coordinated disclosure
is a courtesy, not a rule.

~~~
forgottenpass
You don't have to convince me.

You have to convince the technically disinclined that know nothing about
disclosure, but know plenty about people acting in ways that "ensure their job
security."

