[davej]

Sounds good in theory. In reality, the vast majority of iPhone users are not aware that this bug exists and never will be. The best action for user safety is to wait until the period has elapsed or the exploit has been seen in the wild already.

Alternatively, they could publish the gist of the exploit without providing enough detail to actually perform the exploit.

[ptaipale]

Publishing it like this will make them more likely to be aware of it. They may not read Hacker News but it spreads to Facebook user groups etc.

The bad guys (many enough of them) will anyway figure it out right away after the patches have been published, because with every patch, people will (and should) ask "why".

[rocqua]

Publishing the gist of the exploit, combined with access to diffs of the patch should be enough for people to reverse engineer the exploit.

[davej]

Where are they going to get access to the diffs of the patch? iOS is closed source.

[inlined]

Reading (dis)assembly is a skill many in our profession are required to learn. It’s common in OS & security fields. Heck, when developing Windows on ARM we were told Friday that we’d come to work Monday with a mandatory “no source” debugging session where we had up to an hour to describe a hanged program’s intended behavior and why it was hanged. One of my colleagues also refused my symbols when I asked for help debugging a program. He was more comfortable in ASM than the latest C++