- https://resources.sei.cmu.edu/asset_files/SpecialReport/2017...
EDIT: Changed the link to the CERT guide for CVD.
The only area in that document she would have followed to reach out Apple's security contact is under the heading of "Security and privacy researchers", of which I am doubting she thought herself or her 14 year old son as.
Yet, that is precisely what she did...? Your argument falls on it's face by her own action[s].
EDIT: Note in the screenshot that there's an appended "Follow-Up" with what looks to be an ID, which has been added to the Subject field of the email.
 - https://cdn.vox-cdn.com/thumbor/zrezAXK0-NdK3ugN3G2Uwd_vzuo=...
Anyway, it's absurd to say thay tweets aren't enough warning if they're public. A public disclosure may be distasteful to Apple, but it doesn't change the fact that they have a security emergency.
Who said Tweets weren't enough warning? Did I say that? Where?
...and what does a warning have to do with CVD? The two precepts aren't mutually exclusive, yeah?
Why should they have followed that process? Coordinated Vulnerability Disclosure is just one way of many of disclosing security problems. It's not the single right way.
They started doing just that (didn't anyone actually read the article) and then decided they weren't gettig enough traction and tweeted at Apple. Then, someone discloses the full vulnerability later because.... ...reasons?
CVD isn't the single right way, you're correct, but it allows the vendor to address the issue and remediate it, before the exploit is published. In fact, CERT states that they'll publish exploits after 45 days (I think it is) of non-repsonse from vendors.
To me, it sounds like someone started going the right direction and someone else took over the PR-value of the loudest voice gets the most attention - which there is some arguments for/against that.
However, since they already started going down the "right" road, I don't see why there's this crusade to say "all reports should be accepted through any channel". It's an untenable precept.
Should start-ups or FOSS monitor social media for security reports? Don't they define reporting processes of their own?
I'm not saying, "Don't ever use social media," which is what I'm gathering some people misunderstand this as. I'm saying, if they started down the reporting path, via the appropriate channels, then why disclose the vulernability publicly, if they were already going down the appropriate path?
As someone else mentioned, it should've been on support to see the tweet and pass it on to the appropriate team; especially, since they had already opened a bug for it. Yet, I don't see how this automatically equates to just dumping the exploit into the public domain. (I hope my explanation of it makes sense, at least?)
You might as well comment ‘maybe I’m cantankerous but they don’t seem to be baking a cake here’. You’re right they weren’t baking a cake. So what of it?
>I mean it’s not relevant because that’s not what they were doing.
If they first reported it via the firstname.lastname@example.org, what were they doing then?
Just reporting it by email! Why does that mean they thought they were following someone else's idea of how to do disclosure? It's not called email@example.com is it? Maybe they'd never heard of CVD. Maybe their idea of disclosure is to email and then Tweet it as well.
Do you see what I mean though? You snarkily ask 'maybe I'm wrong but this doesn't look like X' when nobody ever said or implied it was X. It doesn't make any sense as a criticism.
So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?
I see where you're coming from but I don't think it really does imply they were aware of CVD enough to be snarky and wave a standard in their face. They probably just thought they'd give Apple some time instead of thinking 'I'll follow CVD here'.
If they do have Twitter and other social media accounts for support then I think they should.
The story behind this particular report seems muddled quite a bit and the history of the report is quite weird. Maybe they wanted to have dibs on the report as Apple does not have a bounty program?
That's, pretty much, what I'm getting at. Everyone wants to jump on the "Apple's done a shit job with this" bandwagon, which - if you hate Apple - that's your perogative, but to go from reporting it, to a tweet, to full drop of the exploit publicly in less than a day from the actual tweet isn't going to end well for any company - no matter who it is.
>Maybe they wanted to have dibs on the report as Apple does not have a bounty program?
That's - ultimately - what I believe happened here.
I still fail to see what that has to do with CVD, though?