Hacker News new | past | comments | ask | show | jobs | submit login

I can't do responsible disclosure when there are tens of thousands of apps using webView. The number of vulnerable apps is way too high for any kind of responsible disclosure.



You could have told Apple. They could fix this in iOS, blocking the apps via a software update.

If it was me, I would have notified Apple and all of the companies who have bug bounty programs.


Apple knows. Look at the security content of iOS 7.1.

http://support.apple.com/kb/HT6162

I reported CVE-2013-6835. They fixed Facetime-Audio from Safari, but not from other browsers (yet?). This is quite a wide issue. I do not think letting every individual developer know is feasible. I did it for a few bad issues, but there's a limit to what can be done.

And a lot of these can be found in a matter of minutes anyways.


It might not be feasible, but why not if they might pay you money for it?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: