Has it occurred to anyone that Apple has weighed the pros and cons of responding to vulnerability disclosures and decided that it's not worth engaging the security community?

Why deign to listen to researchers whose interests are directly at odds with those of the company? Further, why lend researchers mainstream credibillity by acknowledging them?

Microsoft is in a losing battle because it has set the precedent of issuing patches in response to disclosures, and now it finds itself at the whim of whomever decides to release a new exploit/worm.

Given the limited probability of any given internet-connected host being an OSX machine, Apple benefits from the convenient position that it just isn't economical to write a Mac worm, so not even a few worms will undermine its reputation.

Other than to appease a few thousand conference-goers, what incentive does Apple have to respond to unsolicited advisories regarding uncommissioned security research into its products?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/468/1862#1862