> If so, the community should change their standard so that public disclosure doesn't happen until a week after the update is available.
The update being available is public disclosure! For an experienced reverse engineer, comparing the files before and after the update is usually enough to pinpoint the security issue.
I can't seem to be able to find a link to it right now but there was even this one project/website that dumped the bindiffs for each Windows Update and their disassembly.
Don't most iOS bugs these days require multiple security exploits in order to work? I'm not sure it's always that simple to find a reliable exploit just based on what code has changed (because lots of code has changed).
If there is an obvious to find, easily-exploitable bug, the update could be pushed to everyone (the way updates are pushed today).
There is a balance to strike here. If issues with auto update cause enough people turn auto update off, I'm not sure it's helping security.
Finally - Apple already has a beta programs including public betas. Are those binaries not already used to find exploits?
Essentially, I'm not convinced a phased update (with public security disclosure slightly later) would lead to worse security than we have today.
The update being available is public disclosure! For an experienced reverse engineer, comparing the files before and after the update is usually enough to pinpoint the security issue.