“You didn’t answer in #48. You haven’t quoted Apple saying anything of the sort. Rather, you are relying on the PC Magazine author to be accurate in his characterization of official Apple responses to Maynor.
His hack was the same event I mentioned in my previous post, isn’t it? After many hours and many failures, they changed the rules of the challenge in order to break into the MacBook Pro, right? And the exploit did require user intervention to trigger it, right?”
No, I said it based on personal knowledge of the situation, and that’s all I have to say about that. :)
I was referring to MAYONR’s bug, the wifi driver issue. Not the Quicktime issue discovered by Dino Dai Zovi.
Interview
http://blogs.zdnet.com/security/?p=176
Some of his other Apple exploits:
http://www.theta44.org/research.html
On my site, I list several vulnerabilities I've found and reported to Apple and I've found them to be very responsive and upfront about verifying things and giving credit. Some things are fixed quicker than others and maybe you can say they take too long on some things but when there are interdependencies on components being fixed, it can be a month of two before you see a patch.
They do tend to be a little quiet when dealing with researchers. They'll communicate on an as-needed basis and if you don't provide adequate information, maybe they'll follow up and ask for more. When I report bugs to Apple, I send full details including an exploit. They've been very good about pinpointing the issue and providing a fix.
I had an issue once where their engineers had trouble reproducing a vulnerability and I had to send more information and an actual exploit. After that, they found it and fixed it. I've always received appropriate credit.