Why The Guy Who Disclosed The macOS Security Vulnerability On Twitter Did The Right Thing

Now that the security vulnerability which was of #EpicFail proportions is fixed, attention is now turning to how it was disclosed. This vulnerability was disclosed on Twitter by developer Lemi Ergin:

Now, people are ripping into into this guy for disclosing it on Twitter rather than following this method for disclosing it, which would have been the responsible thing to do according to many. And those who say that are 100% correct. Responsible disclosure as it is known is a great system for disclosing these bugs as it for the most part works.

Except in this case.

The reason I feel that this is the exception is this vulnerability was quietly discussed on Apple’s developer forums two weeks ago. While Apple doesn’t actively participate in these forums. they do monitor them. Which implies that Apple could or should have been aware of this. But it is entirely possible that this slipped through the cracks. Let’s assume that the latter is at play here for a second. That would explain why this the latest macOS High Sierra 10.13.2 beta didn’t fix this. Because if Apple was aware of this, you’d think they would have fixed this in the beta.

So, from Ergin’s standpoint, you had a unfixed vulnerability that was essentially in the wild because it was being discussed on a pubic form that anyone or any search engine can find. Logic says that someone with ill will could find this at any time and start pwning Macs right left and center via malware or some other means. And perhaps that might have even been in the works for all anyone knows. Thus I am guessing that he decided the only course of action was to make it public via Twitter in hopes Apple would fix it quickly. Which to their credit they did. If you follow this logic chain, you can make an argument that this was the right course of action in this specific case.

The way I see it, the people who report bugs to software companies are the good guys. There are rules like the responsible disclosure method that the good guys follow. But every once in a while, in extreme circumstances and only when it can be justified do the good guys get to break the rules. If Lemi Ergin had not broken the rules, this might have turned out differently as there could have been someone who would have taken this vulnerability and caused real damage with it. Thus if I were you, I wouldn’t rip into this guy, I would be sending him a thank you.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: