Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most people not in tech or infosec have never heard of and are totally uneducated about the concept of responsible disclosure. Maybe it needs to be added to high school computer class?



But this doesn't really need to be responsibly disclosed: it's not something someone can use to get into your machine, but rather a way you could accidentally broadcast your credentials somewhere unexpected.

Announcing on Twitter seems more like "hey be careful, make sure your password field is focused."


Yes, you can not get into someone else's Mac. However, what if the last opened application was Terminal? I can think of several scenario where you can do "damage" without logging in—if this bug is real—depending on the last opened application.


So you're going to start typing terminal commands into peoples locked macbooks on the offchance that they've hit this bug and are running a terminal?

Its a flaw that needs to be fixed, for sure, but lets not over-exaggerate the severity as an attack surface. Its much, much more likely that it will cause accidental problems when the owner types something (like in the tweet).

> if this bug is real

Why wouldn't it be? Plenty of people here and on twitter are reporting having hit similar issues (with OS X and even linux, so it doesn't seem completely uncommon).


Plus, even if you understand that, the thrill of having a shot at gaining thousands of followers instantly (like the root empty password guy) if you get lucky and get covered by news outlets is a great incentive for people to not responsibly disclose the security problem. If you responsibly disclose to Apple, it's their mercy to give you any reporting privileges, pay attention to you, and credit you.

That to me is not the right way to think, but in the day and age where number of likes and followers is king, I'd say it's not too irrational.


I've said it before and I'll say it again: You don't need to have heard of "responsible disclosure" to understand that publicly pointing out a bug before it's fixed can lead to people who did not previously know about the bug hearing about it and exploiting it maliciously. That just seems like common sense to me and (I'm willing to bet) many others.


Common scence is highly volatile variable thou..


The #iamroot bug was actually filed mid November with product-security@apple.com according to this weeks ATP - A couple of weeks before it all blew up on Twitter.

I think the cause is more pertinent than the symptom here - Apple don't seem to notice filed bugs unless they blow up on Twitter.


Except this dude on Twitter is. I wonder how many people in tech actually know about responsible disclosure.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: