Linked by Thom Holwerda on Tue 28th Jun 2011 22:16 UTC
Apple With all the news about Anonymous, LulzSec, Anti-Sec, and so on, you'd almost forget there are more ethical hacking groups out there as well. One such group, YGN Ethical Hacker Group, informed Apple of several weaknesses in its developers website on April 25. Apple acknowledged the flaws, but so far, hasn't done anything about them. YGN Ethical Hacker Group has now stated they will fully disclose the vulnerabilities if Apple doesn't fix them in the coming few days.
Permalink for comment 479095
To read all comments associated with this story, please click here.
RE: Responsible? - responsible disclosure
by jabbotts on Wed 29th Jun 2011 16:01 UTC in reply to "Responsible?"
Member since:

Apple has known since April 25th. People with criminal intent probably found this on there own and already know about it too. Apple's customers are the last to find out about it and they are the one's who suffer as a result of any criminals exploiting these issues.

The group discovered problems without breaking laws.
The group disclosed vulnerabilities to Apple directly so they could address them.
The group disclosing those vulnerabilities to the public after the grace period given to Apple allows the public to mitigate the risks or at least accept them with informed concent until Apple fixes the problems.

It is indeed ethical. Unethical would have been exploiting the vulnerabilities for criminal gain, not reporting them to Apple and not reporting them to the public when Apple failed to address them for the responsible protection of it's customers.

Look at it this way. I build a tree-house for my kids. Someone sees that parts or coming loose; kids could fall through the floor or be hit by falling parts. They report it to me "When I picked Jimmy up after the play date the other day, I noticed that the old tree-house needs some work."

Two months later I've done nothing to address the risk of injury. "look, I'm not comfortable with Jimmy visiting to play with your kids if they are going to be in or around that tree-house."

I still do nothing so they start telling friends who also have kids that come over to play with my kids.

One might call this responsible parenting versus alling children to get hurt by ignoring these known problems.

The real problem is that companies like Apple have more motivation to avoid the expense of fixing the "tree-house". It often takes public disclosure and proof of concept documentation to convince such companies that there is indeed risk of there customers being hurt when they come over to play. At minimum, customers can be aware of possible injury and take steps to protect themselves.

Reply Parent Score: 3