> isn't really following a Coordinated Vulnerability Disclosure process, yeah
Why should they have followed that process? Coordinated Vulnerability Disclosure is just one way of many of disclosing security problems. It's not the single right way.
They started doing just that (didn't anyone actually read the article) and then decided they weren't gettig enough traction and tweeted at Apple. Then, someone discloses the full vulnerability later because.... ...reasons?
CVD isn't the single right way, you're correct, but it allows the vendor to address the issue and remediate it, before the exploit is published. In fact, CERT states that they'll publish exploits after 45 days (I think it is) of non-repsonse from vendors.
To me, it sounds like someone started going the right direction and someone else took over the PR-value of the loudest voice gets the most attention - which there is some arguments for/against that.
However, since they already started going down the "right" road, I don't see why there's this crusade to say "all reports should be accepted through any channel". It's an untenable precept.
Should start-ups or FOSS monitor social media for security reports? Don't they define reporting processes of their own?
I'm not saying, "Don't ever use social media," which is what I'm gathering some people misunderstand this as. I'm saying, if they started down the reporting path, via the appropriate channels, then why disclose the vulernability publicly, if they were already going down the appropriate path?
As someone else mentioned, it should've been on support to see the tweet and pass it on to the appropriate team; especially, since they had already opened a bug for it. Yet, I don't see how this automatically equates to just dumping the exploit into the public domain. (I hope my explanation of it makes sense, at least?)
If we agree that they didn’t claim to be doing CVD, were under no obligation to be doing CVD, and CVD isn’t the only way, then why did you comment saying ‘this isnt CVD’ and post a definition as if they were confused about what CVD is? I mean it’s not relevant because that’s not what they were doing.
You might as well comment ‘maybe I’m cantankerous but they don’t seem to be baking a cake here’. You’re right they weren’t baking a cake. So what of it?
> If they first reported it via the [email protected], what were they doing then?
Just reporting it by email! Why does that mean they thought they were following someone else's idea of how to do disclosure? It's not called [email protected] is it? Maybe they'd never heard of CVD. Maybe their idea of disclosure is to email and then Tweet it as well.
Do you see what I mean though? You snarkily ask 'maybe I'm wrong but this doesn't look like X' when nobody ever said or implied it was X. It doesn't make any sense as a criticism.
I see what you're getting at but the point you missed was the week (I believe it was) between when they opened the report and then the tweet happened. Then, not surprisingly, the exploit is fully published publicly (the next day, I think?).
So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?
> So, to explicitly say they weren't aware of 'x', when it doesn't match the timeline, is also - in and of itself- possible disingenuosus. Do you, at least, see where I'm coming from on that angle?
I see where you're coming from but I don't think it really does imply they were aware of CVD enough to be snarky and wave a standard in their face. They probably just thought they'd give Apple some time instead of thinking 'I'll follow CVD here'.
> Should start-ups or FOSS monitor social media for security reports? Don't they define reporting processes of their own?
If they do have Twitter and other social media accounts for support then I think they should.
The story behind this particular report seems muddled quite a bit and the history of the report is quite weird. Maybe they wanted to have dibs on the report as Apple does not have a bounty program?
>The story behind this particular report seems muddled quite a bit and the history of the report is quite weird.
That's, pretty much, what I'm getting at. Everyone wants to jump on the "Apple's done a shit job with this" bandwagon, which - if you hate Apple - that's your perogative, but to go from reporting it, to a tweet, to full drop of the exploit publicly in less than a day from the actual tweet isn't going to end well for any company - no matter who it is.
>Maybe they wanted to have dibs on the report as Apple does not have a bounty program?
That's - ultimately - what I believe happened here.
Why should they have followed that process? Coordinated Vulnerability Disclosure is just one way of many of disclosing security problems. It's not the single right way.