Hacker News new | past | comments | ask | show | jobs | submit login

Maybe I'm just too old and contankerious and just don't "get it" but warning Apple via Twitter[0] isn't really following a Coordinated Vulnerability Disclosure process, yeah?

[0] - https://resources.sei.cmu.edu/asset_files/SpecialReport/2017...

EDIT: Changed the link to the CERT guide for CVD.




Reading that website you provided, the mother was correct to hit up twitter as they suggest that "Customers" contact Apple Support. Their twitter is an official channel to that end.

The only area in that document she would have followed to reach out Apple's security contact is under the heading of "Security and privacy researchers", of which I am doubting she thought herself or her 14 year old son as.


>...of which I am doubting she thought herself or her 14 year old son as.

Yet, that[0] is precisely what she did...? Your argument falls on it's face by her own action[s].

EDIT: Note in the screenshot that there's an appended "Follow-Up" with what looks to be an ID, which has been added to the Subject field of the email.

[0] - https://cdn.vox-cdn.com/thumbor/zrezAXK0-NdK3ugN3G2Uwd_vzuo=...


The tweet wasn't the warning. The tweet describes the 14 year old's mom sending a formal notice of some kind.

Anyway, it's absurd to say thay tweets aren't enough warning if they're public. A public disclosure may be distasteful to Apple, but it doesn't change the fact that they have a security emergency.


>Anyway, it's absurd to say thay tweets aren't enough warning if they're public.

Who said Tweets weren't enough warning? Did I say that? Where?

...and what does a warning have to do with CVD? The two precepts aren't mutually exclusive, yeah?


You yourself implied a relationship between CVD and the tweet when you said that a tweet isn’t a valid step in a CVD process.


> isn't really following a Coordinated Vulnerability Disclosure process, yeah

Why should they have followed that process? Coordinated Vulnerability Disclosure is just one way of many of disclosing security problems. It's not the single right way.


>Why should they have followed that process?

They started doing just that (didn't anyone actually read the article) and then decided they weren't gettig enough traction and tweeted at Apple. Then, someone discloses the full vulnerability later because.... ...reasons?

CVD isn't the single right way, you're correct, but it allows the vendor to address the issue and remediate it, before the exploit is published. In fact, CERT states that they'll publish exploits after 45 days (I think it is) of non-repsonse from vendors.

To me, it sounds like someone started going the right direction and someone else took over the PR-value of the loudest voice gets the most attention - which there is some arguments for/against that.

However, since they already started going down the "right" road, I don't see why there's this crusade to say "all reports should be accepted through any channel". It's an untenable precept.

Should start-ups or FOSS monitor social media for security reports? Don't they define reporting processes of their own?

I'm not saying, "Don't ever use social media," which is what I'm gathering some people misunderstand this as. I'm saying, if they started down the reporting path, via the appropriate channels, then why disclose the vulernability publicly, if they were already going down the appropriate path?

As someone else mentioned, it should've been on support to see the tweet and pass it on to the appropriate team; especially, since they had already opened a bug for it. Yet, I don't see how this automatically equates to just dumping the exploit into the public domain. (I hope my explanation of it makes sense, at least?)


If we agree that they didn’t claim to be doing CVD, were under no obligation to be doing CVD, and CVD isn’t the only way, then why did you comment saying ‘this isnt CVD’ and post a definition as if they were confused about what CVD is? I mean it’s not relevant because that’s not what they were doing.

You might as well comment ‘maybe I’m cantankerous but they don’t seem to be baking a cake here’. You’re right they weren’t baking a cake. So what of it?


>If we agree that they didn’t claim to be doing CVD

...and...

>I mean it’s not relevant because that’s not what they were doing.

If they first reported it via the product-security@apple.com, what were they doing then?


> If they first reported it via the product-security@apple.com, what were they doing then?

Just reporting it by email! Why does that mean they thought they were following someone else's idea of how to do disclosure? It's not called cvd-only-security-reports@apple.com is it? Maybe they'd never heard of CVD. Maybe their idea of disclosure is to email and then Tweet it as well.

Do you see what I mean though? You snarkily ask 'maybe I'm wrong but this doesn't look like X' when nobody ever said or implied it was X. It doesn't make any sense as a criticism.


I see what you're getting at but the point you missed was the week (I believe it was) between when they opened the report and then the tweet happened. Then, not surprisingly, the exploit is fully published publicly (the next day, I think?).

So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?


> So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?

I see where you're coming from but I don't think it really does imply they were aware of CVD enough to be snarky and wave a standard in their face. They probably just thought they'd give Apple some time instead of thinking 'I'll follow CVD here'.


> Should start-ups or FOSS monitor social media for security reports? Don't they define reporting processes of their own?

If they do have Twitter and other social media accounts for support then I think they should.

The story behind this particular report seems muddled quite a bit and the history of the report is quite weird. Maybe they wanted to have dibs on the report as Apple does not have a bounty program?


>The story behind this particular report seems muddled quite a bit and the history of the report is quite weird.

That's, pretty much, what I'm getting at. Everyone wants to jump on the "Apple's done a shit job with this" bandwagon, which - if you hate Apple - that's your perogative, but to go from reporting it, to a tweet, to full drop of the exploit publicly in less than a day from the actual tweet isn't going to end well for any company - no matter who it is.

>Maybe they wanted to have dibs on the report as Apple does not have a bounty program?

That's - ultimately - what I believe happened here.


Apple staff should copy/paste the information reported to them on Twitter to the relevant team for triage or investigation. The user is already helping enough by telling them on Twitter.


This is true but she had already emailed them and from the looks of the screenshot, recevied a response[0]?

I still fail to see what that has to do with CVD, though?

[0] - https://cdn.vox-cdn.com/thumbor/zrezAXK0-NdK3ugN3G2Uwd_vzuo=...


It sounds like the problem was that she never got a response. She sent the original letter, never heard anything back from them, assumed it got lost or was ignored, and then tweeted.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: