Ethics - Bugs - Vurn - Programming

I have been keeping up with the MoaB (month of Apple Bugs)

What are your feelings from an ethical stand point in what these two guys are doing. While I do see it as a funny smack in the face to Darth Steve, it makes me wonder if what they are doing it wrong or right or neither.

If you find out a problem with something, should you only let the person you bought it from know about it, or should it be at the will of public disclosure?

The thing is, companies are about the bottom-line, period. By letting the vendor know before hand, you are opening yourself up to another question of ethics - because you are at the mercy of what that company does with that information. If you let the bugs go public - some could say that you've served your purpose by making BOTH the vendor and then the USERS know there is something wrong, therefore it needs to be fixed and makes sure it gets a fire under the ass of said vendor to fix those problems.

I, personally, feel that public disclosure is the best action.

What are your thoughts?

I see two major benefits for public disclosure:

1) Users have a chance to protect themselves.
2) Publically disclosed bugs tend to get fixed quicker than privately disclosed.

The problem is the value of those benefits tends to get diminished in the real world. In regards to #1, the people who exploit security bugs tend to be more up to date on security issues than honest users. Also, in many cases users don't have any realistic option to protect themselves before the vulnerability is fixed. With #2, bugs may get fixed quicker, but how many more people get hacked in the meantime?

All in all, I'd have to say private disclosure is best, maybe with the threat of public disclosure if the issue isn't taken care of in a reasonable time.

Private disclosure first, then public disclosure between 30 - 90 days thereafter, depending on problem complexity.


private disclosure first, then if a company/entity refuses to actually make progress on a fix, public disclosure.