- for January 1, 2007: Apple's QuickTiime - A vulnerability exists in the handling of the rtsp:// URL handler. This issue reportedly affects QuickTime™ Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

- for January 2, 2007: VideoLAN's VLC Media Player: A format string vulnerability exists in the handling of the udp:// URL handler. This issue reportedly affects VLC for Mac OS X and Microsoft Windows.

"This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform. If nothing else, we had fun working on it and hope people-with-a-brain out there will enjoy the results. "

"Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end."

Finally, also on the FAQ page, they indicate they are not very concerned about criticism of their efforts. In answer to the question "John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?", they reply, "No worries. It's probably someone begging for attention or PR-brainwashed."

Apple's response so far? Apple spokesman Anuj Nayar said the company always welcomes feedback on how to improve security on the Mac.