Wait, what? You think it's unrealistic to expect every security-related bug filed to get some kind of a human follow up within 30+ days?? And this from a company that made over one BILLION in profit during that same time frame?
I think you should find a security bug in any Apple product and report it before you make representations as to how they handle stuff like this. It's not that hard.
Wow your third reply to me ever is an ad hominem? Classic.
And you should probably be more careful in what you wish for because I actually have reported security vulnerabilities to Apple before. And in one case, I waited even longer than a month for a reply (rdar://3775607).
Yes: that I don't believe Apple is actually sitting on security bugs and not telling researchers they've received them, based on our own experience reporting bugs to them.
I don't know how or what you reported or what channel you used to report it. It's possible that Apple makes this reporting process overly confusing. But I simply don't buy that other large vendors are significantly better at reporting progress than Apple. The MSRC takes flak all the time for how they handle reports, Adobe gets more flak than even Apple does, and I think your expectations are unrealistic.
In all cases, the process is, report bug, get pro-forma response, wait forever. Hence NMFB, hence "rebooting responsible disclosure".
If you reported a obviously bad flaw to Apple using product-security@, and they never fixed it or fixed it without crediting you on the credits page they've maintained for something like 5 years now, I apologize for making the assumption that someone saying the things you're saying has never reported a security vulnerability to Apple.
It's great that you don't believe or "buy" that other corporations are better at handling disclosure than Apple, that Apple is maliciously sitting on bug reports, etc., because no one in this thread ever implied that.
Let me try to clear up my point of frustration with the whole untimely response thing.
A quick search reveals that MSRC (which you cited) receives something like 300 emails a day. I could easily be wrong, but let's assume Apple's volume is close to this number as well.
So that's 300 divided by 8 hours a day or about 40 messages an hour. Using my earlier example of a human simply replying with his/her name/contact, and a tracking number, we'll be generous and say it takes a half hour to do this, that's 16 messages processed by a single tier-1 security support staff in one day.
If we now divide 40/received/hour by 16/processed/day we get that APS would need to add roughly 18 additional team members to handle a reporting volume equal to that of Microsoft.
Not from the valley, but it looks like tech support make around $50K a year out there, which we would multiply by the additional staff for: $50k * 18 = $900,000/year.
According to the conference call this week, Apple makes over $32,000,000 in _profit per day_.
Essentially, if Apple wanted to greatly improve their image and contact with outside researchers, they could take 0.03% of a single day's profit, and provide every person that submits a bug a with an immediate human contact and tracking number.
Hell if even if float these numbers up by several magnitudes, does it really sound like too much to ask?
edit: mathfail, but bottom line is still valid /done ;)
This is a thoughtful response and I have no snippy response to it, other than to point out that companies have tried hurling money at this problem and appear to be bottlenecked at "finding enough software security people to get the job done".
And, like I said, I think they're significantly better at responding to reports than the picture you're painting. We may be talking past each other, but: having an actual human write back and say "thanks, you're secrdar://484799" might not actually make things any better than they already are.
The fact is that large companies haven't figured out how to ship security fixes, and so security fixes are ending up getting triaged alongside all other classes of product flaws. And that isn't working.
Wait, what? You think it's unrealistic to expect every security-related bug filed to get some kind of a human follow up within 30+ days?? And this from a company that made over one BILLION in profit during that same time frame?
Uh, no.