Security NDAs
I posted a security issue radar to Apple about a year ago. A few weeks later I got an email from them thanking me, and letting me know that this issue was now under NDA.
Time went by, and eventually they emailed me to ask me what name I wanted to use for when I’m credited in the release notes of the build that fixes the issue. Awesome! But also, they said that if I mentioned this issue anywhere, they’re retract my credit line. And so I’ve been pretty quiet. No one but the people at Centrix.ca have seen the code that triggers the flaw. Not that my ego needs Apple to write my name on something, but yes, it’d be freaking nice.
WWDC ‘09 came along, and I got to try 10.6 for the first time there. The first thing I did was check to see if my security bug was present. It was not. Well… that’s good, I thought.
10.5 has never been fixed though. The bug still exists in the latest 10.5 build. This irks me. What irks me the most though, is that I still can’t talk about it. I want to talk about how I found this bug, what I was trying to do (and achieved!) when I found it.
Legally speaking, I don’t think their NDA has a leg to stand on. You can’t just send someone an NDA and say “ok that info you gave us previously is under NDA, you can’t talk about it” without having the person agree to it (I think?). I can understand that they don’t want security vulnerabilities in the wild. But fucking fix it! Obviously they know how, since 10.6 doesn’t have the flaw.
Last week I logged on to bugreports.apple.com, and saw that now suddenly my issue has been marked as a duplicate. That’s a slap in the face. What’s my motivation to keep quiet now?
