Years ago my team and I discovered a pretty significant bug in Safari's/CFNetworking's TLS implementation. Once the browser had deemed a certificate valid once, it would subsequently accept it for all hostnames. We got absolutely nowhere with Apple's official security contacts. The issue only got resolved months later, after I was able to find an employee from their security team at WWDC and explain the issue face to face.
Care to tell how it went? Did he have an expanation why the process was so crappy? Did hebmaybe even knew about your bug report but was unable tonfonsomething sbout it because of some beaurocracy?
We did not have any visibility into the process. Overall I think they just didn’t see it as that big of a deal, definitely not big enough to change release schedules for. This got assigned a CVSS score of 6.8, so not Critical or even High severity. Still feels pretty severe to me, but I guess that’s how everyone who discovers an issue like this would feel…
