Wow, major cheap shot and Apple bootlicking. This guy finds something EVERYONE mised literally for decades, and HE'S the one endangering tens of millions of Mac users by notifying them of it without first notifying Apple? Oh yeah, because everything must go to corporate Massa first, and then that monolithic non-responsibility corporation will, of "it's" own initiative, when "it" decides to, without taking any responsibility and - heaven forbid - actually assigning any blame to any actual human beings, MAYBE let users know, depending on advice from it's massive legal team.
And he even let Apple know that it's precisely BECAUSE of this imperious, calculated behavior multiple times in the past that he decided it could not be trusted with this information, for fear it would bury it.
So a little bootlicker writer is paid to claim that, AT THE SAME TIME, this investigator (not Apple, never Apple) endangered tens of millions of people by not kneeling first to Apple Corporate, over something Apple claims is actually no threat at all, nothing to see, move along, the odds are that the Great Pyramid will start flying around on it's own before this flaw is ever exploited by anyone.
Both.
Thus, of course, proving Pedro Vilaca's point about how Apple covers it's ass FIRST, and deals with any threats to users second.
No, Talisker, you are wrong. The standard in the security industry is to inform the company who can fix the vulnerability before you publish the find so that hackers cannot do the very expensive damage they are noted for with a vulnerability that many of them are incapable of finding on their own. Vilaca broke the rules of proper behavior for such finds and those who published it did as well. The normal procedure is to give the publisher of the software approximately three months to address the issue before you go public with a zero-day vulnerability after you notify them. This asshat was in such a rush to announce it, he did not even bother to notify Apple before he made his presentation. . . no notice at all.
This means that there are millions of innocent people who could be hacked because he was arrogant. He IS the one who is endangering the tens of millions of users. Without him, this unfound vulnerability could have gone unfound for years more. . . or it could have been quietly fixed before the hacker community ever got wind of it and then announced, which is the normal way these vulnerabilities are handled. But NO, he had to have his fifteen minutes of notoriety instead of a footnote in security annals. He IS reprehensible.