Hacker News new | past | comments | ask | show | jobs | submit login

>If we agree that they didn’t claim to be doing CVD

...and...

>I mean it’s not relevant because that’s not what they were doing.

If they first reported it via the product-security@apple.com, what were they doing then?




> If they first reported it via the product-security@apple.com, what were they doing then?

Just reporting it by email! Why does that mean they thought they were following someone else's idea of how to do disclosure? It's not called cvd-only-security-reports@apple.com is it? Maybe they'd never heard of CVD. Maybe their idea of disclosure is to email and then Tweet it as well.

Do you see what I mean though? You snarkily ask 'maybe I'm wrong but this doesn't look like X' when nobody ever said or implied it was X. It doesn't make any sense as a criticism.


I see what you're getting at but the point you missed was the week (I believe it was) between when they opened the report and then the tweet happened. Then, not surprisingly, the exploit is fully published publicly (the next day, I think?).

So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?


> So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?

I see where you're coming from but I don't think it really does imply they were aware of CVD enough to be snarky and wave a standard in their face. They probably just thought they'd give Apple some time instead of thinking 'I'll follow CVD here'.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: