It's somehow never the tech companies' fault for willfully designing inept feedback channels or even null-routed feedback channels in Google's case to impede customers communicating with them. I think many companies, especially given $200b in savings, could have handled this report better. Many companies without $200b can receive information from a customer without it passing through journalists first.

What's especially pathetic is it doesn't matter what you're reporting - a grave security bug, a widespread hardware flaw, a longing for better functionality - Apple doesn't want to know. In fact they warned iOS developers against trying to get their attention.

     If you run to the press and trash us, it never helps.

https://medium.com/@krave/apple-s-app-store-review-process-i...

I can only imagine the amount of bug reports, real and false, that a company of Apple's size must receive on a daily basis. Is there any company at that scale that can reliably filter through all of them to find actual, critical bugs quickly?

It simply isn't as easy as saying 'flag all reports with 'security vulnerability' in the submission for priority.' That could still be thousands of reports in the 'priority' queue, most of which some person would need to manually investigate one by one.

Years ago my team and I discovered a pretty significant bug in Safari's/CFNetworking's TLS implementation. Once the browser had deemed a certificate valid once, it would subsequently accept it for all hostnames. We got absolutely nowhere with Apple's official security contacts. The issue only got resolved months later, after I was able to find an employee from their security team at WWDC and explain the issue face to face.

When I saw the headline, I assumed it was a situation where someone had emailed the wrong address or only tried to contact them via Twitter. But upon reading the article I see this is a high-quality report. She was sounding alarms and emailing all the right people. It's is insane that Apple missed this.

I think at this point, we need Tim Cook to write an apology piece about how they screwed up, how this won't happen again, and who got fired.

Not turning out to be a great week for Apple. Even if they do receive a large number of bug reports, I would like to think they have the resources (let's face it, they're not cash-strapped) to resolve something as critical and privacy-focused as this. Their failure to do so makes a mockery of their users who pay a significant premium for their products, often in the name of privacy.

What is happening with Apple - people used to justify the high cost of Apple devices claiming they paid for the "high quality". But now ... First the "bug" that allowed root access on macOS and now this "bug" that literally allowed anyone to spy on you through your iPhone? Not to speak of iPads / iPhones that bend, ios throttling due to weak batteries etc. etc.

Something is quite wrong ...

https://news.ycombinator.com/item?id=19029594 is another article on this. Also https://news.ycombinator.com/item?id=19029548.

People who thinks that what happened is unacceptable needs to understand that Apple must receive a lot of these types of call every week. What would you do if someone send you multiple messages saying that they found a major issue _without even detailling anything_ while this person actually wants you to give them money for what they found (that they still haven't disclosed any information about it)? I'm sure the majority would ignore these calls unless some details were shared about the issue.

I am not surprised about what happened at all. There is an argument that can be made about the fact that it took Apple so many years to finally implement group video call that they could take a little bit of time to do it right but other than that, I don't see how Apple could have prevented a bug that a person wasn't willing to disclose without having money first.

Another product stream and company (and hype) I was never a fan of. Best thing they did was to rip off FreeBSD and the worst was break *nix compliant userspace + influence design UX and UI patterns for a new generation.

There has been recently some activity here in HN regarding formal model checking and protocol verification (TLA+, SPIN, Promela...) I guess they are relevant to this case.

This stuff is hard.

That letter from the lawyer to Apple is quite inflammatory.

Maybe I'm just too old and contankerious and just don't "get it" but warning Apple via Twitter[0] isn't really following a Coordinated Vulnerability Disclosure process, yeah?

[0] - https://resources.sei.cmu.edu/asset_files/SpecialReport/2017...

EDIT: Changed the link to the CERT guide for CVD.

from petaluma to kankakee! finding bugs in the internet of shitty things! the latest craze to sweep the nation!

How many other hundreds-of-billions-of-dollars companies could produce a production code fix faster?