Hacker News new | past | comments | ask | show | jobs | submit login

Apple has a dedicated team that triages incoming security vulnerability reports. If you search for how to report a security issue to Apple, you would find their e-mail address.

The weird thing to me is that the NYT article says that she tried "faxing Apple’s security team." Having some familiarity with the team and the process of reporting security vulnerabilities to them, I do not recall them ever claiming to have a fax machine. The idea of Apple asking you to fax in a bug report is ludicrous.

That teen’s mom is a lawyer. There’s still something legal-binding about faxes that Email doesn’t have. At my former employer, we (a remote office for mother company) were sometimes told to send some info via a real fax and there were no ways around it (other than overnighting the original).

Also, it’s amazing to see she did so much to try to notify them. Yes, not being technical, she couldn’t figure out that security team email, but I wonder why all of the Apple people who were getting signals from her didn’t forward it to that team...

The sender can confirm that a fax has been received correctly on the other end. It will even print out a confirmation page with "message completely received". Can't do the same with emails, so there's no pretending you never received it because it was caught in some filter somewhere outside of your control.

Overnighting is similar in that the carrier should provide confirmation that a package has been successfully delivered.

Unrelated to anything, but... There are many fax vendors (sfax for example), that provide "virtual fax machines", and that email you received faxes. Those emails could get lost. The fax service could lose the data. Just because a fax was received by a "fax machine", doesn't necessarily mean someone actually got it.

Certified mail is probably a better "someone received it" option, if that is the desired requirement.

I'd expect that you can then sue the fax vendor?

Probably something in the ToS about forced arbitration or "best effort delivery", with how things go these day. :/

Just because a fax is sent doesn't mean that the receiver read the content. Were there even details about the issue on the fax or was it yet another "call me now in order for me to explain the issue while I could do it by email but I want you to give me money first" type of thing? Can we blame someone to not respond to a fax that doesn't include any details about the issue or how to reproduce it?

The faxed document is linked from the article, no need to speculate what it did and did not include. Hint: as the article says, it includes full reproduction details for the bug.

Just because certified mail is sent and signed for doesn't mean the receiver read the content. The point is that someone got the message, what the recipient does with that message is totally on them.

Lawyers are notoriously superstitious. Worse even than medics, since we managed somewhat to get modern medics to embrace the idea that it's possible to find out whether the blue pill or green pill is best by _doing science_ rather than relying on your gut instinct.

Superstition leads to lawyers doing again a thing that worked previously without knowing why it worked or having any understanding that it's actually necessary for any reason. Most of the weird forms of words in legal contracts are a result of this, the court probably doesn't care whether you demand someone "Cease and desist" or just "Stop fucking doing that" but who wants to risk that they do care? Let's just write "Cease and desist" the same as we did on the previous document...

So, she uses Fax because her predecessors used Fax, not because there's an actual "something legal-binding about faxes". Just superstition.

There are superstitious people in every profession, that's what "sync; sync; sync" is all about - it's just that lawyering seems especially prone.

There is a big difference between medics and laywers. Medics are playing a game where the rules are set by nature, biology, reality. Lawyers on the other hand play a game where the rules are set by other people in the legal industry (lawyers, judges, or legislators.) Moral men cannot alter issue proclamations about which pill will work and expect their demands to be heeded by nature, but all the rules in the legal system are made by mortal men. If people in the legal system decide that fax machines are blessed, then they are.

For it to reach that screening step it has to be tagged as security bug.

Do you really think a consumer would think to do that? Also you have to consider the number of bugs that are incorrectly flagged as being security.

I'm sure reports to product-security@apple.com get immediately flagged as "security".

Knowing how much outright spam a security email address gets... (luckily spam filtering is good enough to not surface them but a human still has to periodically go through the spams just to ensure there were no false positives)

Even then, the modern day incentives around vulnerability disclosure are not helping. Because security bugs are awarded bounties based on their severity, every single reporter has a financial incentive to hype and inflate their findings. "URGENT" this, "CRITICAL" that, "ACCOUNT TAKEOVER" due to already compromised computer/device, you name it.

Teams without sufficient resources will spend a lot of time dealing with the maladjusted severities. And yes, I believe the "mal-" prefix is warranted. If your report does go through with inflated severity, you stand to make more money.

I am starting to think that a reasonably run bounty programme should state up front that inflated severities in bug reports will reduce their payouts.

I thought it was filed through the standard external bug report tool? (The PS queue is higher priority, but I assume also gets huge amounts of spam)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact