Dave AndersonMay 14, 2024
Craig Hockenberry

A not fun fact: I didn't get a security bounty for a macOS release that was done specifically to address an issue I found.

https://mjtsai.com/blog/2024/05/14/no-bounty-for-kernel-vulnerability/

The rational was that I disclosed the issue publicly. Which I did after reporting it in the beta releases, and after they said “we're unable to identify an issue in your report”, AND AFTER THEY RELEASED THE FUCKING VULNERABILITY.

https://mastodon.social/@chockenberry/111580066311950281

I have no energy/desire to argue with Apple, but this ain't a good look for a $3T company.

Michael Tsai - Blog - No Bounty for Kernel Vulnerability

May 14, 2024 at 10:41pmIvory for Mac
Show threadVermyndaxMay 14, 2024
@chockenberry @atlauren and you’re whining on X? Really? You should take this up privately with Apple.
Show threadAndrew LaurenceMay 14, 2024
@vermyndax my dude, do you know who CHOCK is?
Show threadVermyndaxMay 15, 2024
@atlauren Yeah. I do.
Show threadVermyndaxMay 15, 2024
@atlauren My point is that you shouldn’t have to resort to posting publicly (let alone on X, which is a shitty place to be regardless). Praise in public, correct in private.
Show threadJeff C. 🇺🇦🇬🇱May 15, 2024
@vermyndax @atlauren “Praise in public, correct in private.”
Show threadJeff C. 🇺🇦🇬🇱May 15, 2024
@vermyndax @atlauren (Also, @chockenberry posted his message to Mastodon, not X, so I’m not sure what that is about…)
Show threadVermyndaxMay 15, 2024
@jeff @atlauren Very fair criticism, I accept that.
Show threadVermyndaxMay 15, 2024
@atlauren I don't know where my eyes replaced @chockenberry 's post with “X”, but it's clear I wasn't tracking properly last night.
Show threadAndrew LaurenceMay 15, 2024
@vermyndax I did wonder if the whiskey was involved. 🤣
Show threadVermyndaxMay 15, 2024
@atlauren It *totally* was. Looking back at this stream I'm like... seriously, who was this guy? Sigh. Sorry all.
Show threadCraig HockenberryMay 14, 2024
@vermyndax @atlauren Read the posts. I did, and got nowhere.
Show threadVermyndaxMay 15, 2024
@chockenberry @atlauren Ok
Show threadmingistech May 15, 2024
@vermyndax @chockenberry @atlauren go troll on X.
Show threadVermyndaxMay 15, 2024
@mingistech @chockenberry @atlauren I dunno why I thought his post was on X, and now I see that it wasn't. Therefore, my post about it being on X is invalid (as is most of what I said after having read through the thread).
Show threadLouie Mantia, Jr.May 15, 2024

@vermyndax Anyone who has ever worked with Apple knows that while their stance may be “whining publicly doesn’t work,” without doing so, they don’t fix things.

If Apple didn’t care enough to identify the issue when Craig reported it privately, what exactly makes you think that discussing compensation privately will get him the bounty? It’s clear that public display is more likely to get their attention. If it worked privately, he wouldn’t be here.

Show threadVermyndaxMay 15, 2024
@louie Is the interest to get the issue resolved or the monetary award?
Show threadLouie Mantia, Jr.May 15, 2024
@vermyndax you're trying to force a single answer? I won’t engage with that.
Show threadM.S. Bellows, Jr.May 15, 2024
@chockenberry What the hell. Talk to a lawyer.
Show threadmmzeemanMay 15, 2024
@chockenberry Sounds familiar. When I reported a small issue with the Sign in with Apple api they denied there was a problem when they reported back (took months). The thing was that they fixed the problem just before reporting back. 😮. But the introduced another bug. Now one of the boolean values was put in the signed response as the string “true” or “false”. Which potentially leaves implementation vulnerable. So I filed another report. At which their documentation was silently altered at some point. 🙀I never heard back from them.
Show threadAndreas, DJ3EI, he/himMay 15, 2024

I reported a bug to Apple in the late 1980s. From their reaction, I concluded that company is arrogant. Since then, I have found nothing to make me reconsider that initial assessment.

Full disclosure: I used their products only when my employer said I had to, which summed up to some four years total ever since.

@chockenberry

Show threadGordMay 15, 2024
@chockenberry fuck apple
Show threadCesare ForelliMay 15, 2024
@chockenberry
Show threadJohn ClearyMay 15, 2024
@chockenberry When I accidentally found a Fastmail security flaw a few years back and tweeted @ the CEO I didn’t even know they had a bounty. They quickly responded, told me they did and wanted to pay me for it. All they asked was that I take the tweet down as it had other people’s personal data in it (which I did). Apple consistently shoot themselves in their feet. So disheartening. They should be thanking you that you persisted!
Show threadKevin RussellMay 15, 2024

@chockenberry

Tax apple robustly. Deeply.

Show threadAdam Williamson May 31, 2024
@chockenberry @arstechnica might be interested in this...