That twitter thread and lots of the comments are missing the point. MANY people don't know about what the ethics of reporting vulnerabilities are, they just want to say something and get it fixed. yes, it probably would have been better if this person had gone through proper channels, but there's no evidence they did it for the lulz/fame.
In this case the bug is so bad and egregious, that publicizing it with the fix might have been the best thing to do -- no telling how many people have already discovered this or how long it would take Apple to fix.
Yes, let's educate each other about what responsible disclosure WITH A DEADLINE TO FIX looks like, but don't assume this person just wanted internet points. And now that the report and a workaround are out there, at least it can be mitigated personally.
Though I imagine there will be some SERIOUS hijinks that result from this until Apple fixes it because it is so easy to do. :(
I’m not a security researcher and I don’t work for Apple. If I casually came across this I would totally tweet it out. Anyone asserting I should follow some sort of procedure has a misplaced sense of reality.
Yeah this is not like you have to craft special wireless packets to compromise the Broadcom network stack and then gain access. It's not that kind of vulnerability. This is really dumb and anybody can stumble across it. Hell, I work on network devices and non-production ones have root and blank as the password. I have tried the same in my laptop many times out of habit.
Responsible disclosure works when you are fairly certain you have found something nobody else knows about. Logging in with root must be known to many people.
The average person who has never heard these things may act as described, but the person should be criticized for it, and if they dont correct their mistake they should be criticized for that too. Thats the point of criticism.
In this case the bug is so bad and egregious, that publicizing it with the fix might have been the best thing to do -- no telling how many people have already discovered this or how long it would take Apple to fix.
Yes, let's educate each other about what responsible disclosure WITH A DEADLINE TO FIX looks like, but don't assume this person just wanted internet points. And now that the report and a workaround are out there, at least it can be mitigated personally.
Though I imagine there will be some SERIOUS hijinks that result from this until Apple fixes it because it is so easy to do. :(