The Apple Vulnerability Disclosure Question -- A Testable Proposition

By Paul Rosenzweig
Saturday, March 26, 2016, 9:55 AM

As Ben has reported, Apple has said publicly that it expects the FBI to disclose to it any vulnerability that a third party outsider might discover. Ben characterizes this as "digital chutzpah" in light of Apple's refusal to help the FBI crack the iPhone security system in the first place. Besides being chutzpah, Ben makes the point that disclosing the vulnerability would not be necessary under the White House's vulnerabilities equities review process.

Others are not so sure. My friend, Jason Healey, thinks that a fair application of the equities review process requires disclosure. After all, as he notes: "Unpatched iPhones pose a serious risk – allowing other nations or criminal groups to cause significant harm to consumers."

This is, in the end, an empircal question. I think that the FBI will not make a disclosure -- at least in part because the bug (if it really exists) is almost certainly not going to remain secret very long given the intense media scrutiny of the question. This gives the FBI every incentive to keep the secret for as long as it can. Nor does the application of the vulnerability equities process account, I think, for how angry Apple has made certain parts of law enforcement with its position.

So ... if it is an empircal question it is testable, and I've set out to test it in a gentle and amusing way. I have made a wager with Jay that within 1 year from today (i.e by March 25, 2017), the vulnerability will not have been disclosed through the White House equity process. If it has, I'll buy Jay dinner at the restaurant of his choice. If not, he's buying for me.