Recently, someone announced that a new Apple-related security bug would be posted every day for the month of January (see the URL below). The stunt comes on the heels of other such projects, dubbed Month of Kernel Bugs and Month of Browser Bugs. There was also a proposed Month of Oracle Database Bugs, but that stunt never came to fruition.
You might have read my recent Security Matters blog article in which I questioned whether this relatively new "month of bugs" trend is stupendous or just plain stupid. If you missed it, you can read it at the URL below.
The problem I see with these events is that they place millions of computer users at severe risk. The alleged motives for launching these events vary, but it seems to me that they're primarily publicity stunts designed to draw attention to the operators of the events. If that weren't the case, then the bug publicists would at least post their bugs anonymously. Furthermore, if they really cared about the overall effects of their bug reports, they'd be more responsible with their disclosure methods instead of leaving people vulnerable while vendors scramble to fix the bugs.
At least some people out there have a conscience. In response to the recent launch of the Month of Apple Bugs (MOAB) comes the cavalry riding to the rescue, led by Landon Fuller, former Apple engineer.
Fuller found out about MOAB and decided that it would be a good exercise and public service to fix the bugs while waiting for official fixes from Apple. So day by day, as the new bugs are posted, Fuller works to find ways to fix them and subsequently releases patches.
In addition to Fuller's work, William Carrel stepped in to set up a MOAB Fixes group at Google where MOAB patch coordination is taking place. There you can find open discussion along with the patches released so far. The group is accessible at the URL below.
Apple will undoubtedly release its own patches for the bugs in the near future. However, so far the company hasn't said anything publicly about possible patches or the MOAB project. Although Fuller formerly worked at Apple and is helping to fix the bugs on his own, he stated that he hasn't heard anything from Apple regarding MOAB or his patching efforts.
I think that the work of the people who are now involved in patching the issues made known by the MOAB project is admirable. The people who launch these "month of bugs" stunts could take a lesson in public service from the example being set. But will they? I doubt it.