We can spin this to match whatever our particular bias may be, so here's mine:
"Security Researcher" was a term coined to help white hat hackers escape the stigma of being associated with black hat hackers. At this point, it's just as hard to trust the motivation of a "security researcher" as it is a "hacker."
It seems that some elements of the "security research" community are putting ego and reward in front of security. If they don't like how Apple is handling its bounty program they threaten to take their discoveries to the highest bidder, or expose them for all to see (and use). That's not exactly White Hat behavior.
Since White Hat/Black Hat are terms lifted from the movies... what White Hat (like the Lone Ranger, Wyatt Earp, Hopalong Cassidy, Roy Rogers, etc.) would, if they detected a security weakness down at the Sagebrush Bank and Trust, threaten the bank manager, "Well, I'll just tell the Dalton Gang about this if you don't fix it right pronto! Oh, and don' fergit to tell the Tombstone Gazette that I'm the one who told ya ta fix it, and I 'spect ta see that fine Appaloosa o' yers grazin' in my corral by next sunup."
Sure, it's been accepted practice for some time to give a developer like Apple, Microsoft, Google, etc. a set period of time in which to privately fix an issue before taking it public. It certainly seems like a plausible way to encourage a timely response from a big, slow-moving bureaucracy. Call it a 60-day threat. The trouble is, there is room for abuse as well.
Then there's the definition of "zero-day" threat. Any threat unknown to the developer, or if known, has yet to be fixed, gets that scary term. "Zero-day" does not define the
severity of the threat, but there have been plenty of media reports that give the impression that "zero-day" means Doomsday is at hand. What's the difference between "zero-day threat" and "previously undetected threat?" Nada. But you can be sure the only term some Security Researchers will use to describe their discoveries is the more inflammatory, "zero-day."
I'm not discounting the risk posed by the threat described here, but due to one key pre-condition - that the web form can only be accessed by finding/stealing an AirTag, it's a whole lot harder to exploit than, for example, sending a malicious link via SMS or email. OMG, entire communications systems are threats! (How much is that insight worth to Apple?) And by its nature (a data form field lacking data validation rules), this particular threat is pretty darned easy to fix (so yeah, fix it pronto, Apple). Meantime, what can, say, MacRumors do to ensure that only
safe URLs are inserted in posts like this?
