

iCloud hacker would have warned apple had it provided a bug bounty - pender
http://www.forbes.com/sites/thomasbrewster/2014/09/04/creator-of-icloud-hacker-tool-i-would-have-warned-apple-if-it-properly-rewarded-researchers/

======
danudey
> Yet ethical hackers looking to make a name for themselves would probably be
> far more willing to responsibly disclose vulnerabilities if money was on the
> table.

Here's a simple rule of thumb: if you only responsibly report vulnerabilities
when they're going to pay you, and otherwise you just publish them to github
for everyone to use, _you 're not an ethical hacker_.

Troshichev frames it like 'it's not my fault I posted this exploit to the
internet, there was no bounty in place to prevent it!' He could well have
reported it to their security teams and been happy with having contributed to
the world, but instead he not only discussed the bug publicly, but _published
a tool allowing people to easily exploit it_.

There is no point of view here where Troshichev is any sort of ethical 'good
guy'. This is extortion, a thug saying 'Oh, that's really too bad about your
windshield. If only there was some way you could pay someone to keep this from
happening again. Who knows how bad it could be next time.'

------
joshdance
First of all, Forbes reporting on hacking needs to be taken with a grain of
salt. Second, he 'would' have 'should' have is easy to say after the fact.

------
dspillett
In other news, burglars say they would invade homes and take stuff if they
were paid not to.

------
TeeWEE
I thought apple discovered it was a social hack, not a technical one... Or is
this just PR?

~~~
serge2k
If that script was used then Apple had a security flaw which allowed a very
simple attack.

The article mentions ethical hackers and researchers. This guy posted an
unpatched vulnerability to github. Even without a bug bounty program he could
have submitted a report, waited for patch, and then wrote it up for some PR.
Instead forbes gives him credibility he doesn't deserve.

