It’s pretty impressive to know an 18 year old Italian teenager is already finding vulnerabilities in OS X. However, I hope he learns to disclose them responsibly, and starts informing vendors first. This week, news surfaced of a zero day privileges escalation flaw in the latest version of OS X Yosemite. Click play below to learn all about it.
(Episode Runtime: 1:30)
Direct YouTube Link: https://www.youtube.com/watch?v=6WmdmY9kHks
- Teenager releases OS X 0day before telling Apple – V3.co.uk
- Github project for the OS X Yosemite Tpwn flaw – Github
— Corey Nachreiner, CISSP (@SecAdept)
I’m of the opinion that the tier goes as such:
Responsible disclosure–>public disclosure–>black hat disclosure
Public disclosure over and over again puts pressure on vendors to look beyond what is standard fare regarding security in their products, and keeps them vigilant.
Responsible disclosure makes for lazy security. They don’t actually act always based on this method.
A combination of all three is the reality of the marketplace. Asking the community to act one way is fruitless. It will never happen, so asking for it is pointless.