[an_account]

As a Mac user, I feel it’s irresponsible. I don’t want zero days published before Apple has a chance to fix.

I also think that the vendor has a responsibility to fix the exploit quickly, and if not the researcher should publish and shame the vendor.

[Digital-Citizen]

Is 3 years considered quickly enough? How about 3 years for a remotely-exploitable problem? According to <a href="http://www.telegraph.co.uk/technology/apple/8912714/Apple-iT... Telegraph</a>, "Apple was informed about the relevant flaw in iTunes in 2008, according to Brian Krebs, a security writer, but did not patch the software until earlier this month [Nov 2011], a delay of more than three years.".

It seems to me that nobody but Apple has a responsibility to its users. The public at large certainly doesn't owe Apple (or any other software proprietor) specific performance regardless of whether they report what they've found publicly or when.

Apple is also not being nice to its users by denying them software freedom: most of MacOS is proprietary and the aforementioned bug concerned iTunes, a proprietary media player. So no matter how technically savvy and willing the user is, they're not allowed to diagnose and fix the problem, prepare a fixed copy of the changed files, and help their community by sharing copies of the improved code.

"Responsible disclosure" is indeed propaganda that benefits the proprietor in a clumsy attempt to divert blame for a product people paid for with their software freedom as well as their money.

[mcny]

The author has commented above. It seems Apple was aware of this issue before the author published it. I wouldn't put any blame on the author at all.

[jodrellblank]

I don’t want zero days published before Apple has a chance to fix.

Because you think you are safe until publication?

What kind of "if I don't know about it, it isn't happening" worldview is that?